<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div><div>On May 27, 2009, at 11:22 AM, Luke Shepard wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div> <font face="Calibri, Verdana, Helvetica, Arial"><span style="font-size:11pt">Actually, I think that we can accomplish most useful use cases using just logout_setup.<br> <br> An OP can choose to redirect back immediately if it doesn’t want to have user interaction. For example, suppose you go to blogger.com and are signed in with your google account. If you click “logout”, then you are redirected to a <a href="http://www.google.com">www.google.com</a> url, which clears your cookies, and then immediately directs you back. However, if Google wanted to, it could choose to require some user action. So I like logout_setup because it leaves it at the discretion of the provider (and ultimately, the user who chooses their provider).<br><br></span></font></div></blockquote><br></div><div>This is an interesting idea, leaving the user interaction decision in the hands of the OP, not the RP. The issue have is the possibility that the user might think they have logged out of *all* RPs with this action. If the OP decides to not interact with the end user, it might reinforce this perception.</div><div><br></div><div>What if the OP (interacting with the end user in a popup from a logout_setup call, for example), in addition to showing the "do you want to log out of OP x as well?" dialog, also showed a list of recently authenticated RPs as a reminder of where else they might want to log out of? For example, "You just logged out of RP x. You recently logged into RPs y and z as well, don't forget to log out of those too". myOpenID shows you an activity log when logged in to their site, and this is the same idea, just presented differently, and in a logout context, but still from the OP.</div><div><br></div><div>Regards,</div><div><br></div><div>Bill</div></body></html>