<HTML>
<HEAD>
<TITLE>Re: [OpenID] Feedback from OpenID demo</TITLE>
</HEAD>
<BODY>
<FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'>Actually, I think that we can accomplish most useful use cases using just logout_setup.<BR>
<BR>
An OP can choose to redirect back immediately if it doesn’t want to have user interaction. For example, suppose you go to blogger.com and are signed in with your google account. If you click “logout”, then you are redirected to a www.google.com url, which clears your cookies, and then immediately directs you back. However, if Google wanted to, it could choose to require some user action. So I like logout_setup because it leaves it at the discretion of the provider (and ultimately, the user who chooses their provider).<BR>
<BR>
<BR>
On 5/27/09 11:17 AM, "Santosh Rajan" <<a href="santrajan@gmail.com">santrajan@gmail.com</a>> wrote:<BR>
<BR>
</SPAN></FONT><BLOCKQUOTE><FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'><BR>
<BR>
My Vote for logout_immediate. I think the user instinctively knows that<BR>
logging out of RP means logging out of OP. Look at how logout works when you<BR>
login via Google and Facebook now. We should continue with this trend.<BR>
<BR>
<BR>
Luke Shepard wrote:<BR>
><BR>
> Agreed, logout_immediate can be scary. I think it would be fine to start<BR>
> with just logout_setup - simpler is better after all. A provider that<BR>
> wants to aggressively log out can just redirect immediately if it wants<BR>
> to.<BR>
><BR>
><BR>
> On 5/27/09 10:09 AM, "David Recordon" <<a href="david@sixapart.com">david@sixapart.com</a>> wrote:<BR>
><BR>
> I agree that logout_immediate seems a bit scary, if we already have a<BR>
> challenge explaining to users what "always remember" means and will<BR>
> do, having an OP also explain that the site could log them out is even<BR>
> more complex. I think the equivalent of a logout_setup makes sense<BR>
> especially when combined with a popup style UI.<BR>
><BR>
> --David<BR>
><BR>
> On May 26, 2009, at 6:03 PM, Martin Atkins wrote:<BR>
><BR>
>> Bill Shupp wrote:<BR>
>>> Obviously, #2 really highlighted #1. People thought that login<BR>
>>> should be an explicit action, not automatic. When discussing #1, I<BR>
>>> mentioned an idea that Luke Shepard shared this week at IIW, of<BR>
>>> adding "logout_setup" and "logout_immediate" to the protocol. The<BR>
>>> idea being that if you click logout on the RP, it could send a<BR>
>>> "logout_setup" to the OP, which would trigger a popup asking if you<BR>
>>> also want to logout of the OP as well. This idea got a pretty<BR>
>>> favorable response, and seemed to satisfy some of those concerned<BR>
>>> with the Single Sign Out issue. "logout_immediate" could behave<BR>
>>> similar to "checkid_immediate", where the logout is performed<BR>
>>> without user interaction, and might be favored by higher value RPs<BR>
>>> like mint.com or the like. Obviously, there's room for RP abuse<BR>
>>> here, though.<BR>
>><BR>
>> This logout_immediate thing makes me nervous for the reason you<BR>
>> state at the end here. checkid_immediate doesn't actually change any<BR>
>> state on my OP, it just inspects the state. logout_immediate *does*<BR>
>> change state in on my OP from the context of my RP, which I don't<BR>
>> like the sound of at all.<BR>
>><BR>
>> logout_setup is better because it is an interation at the OP that<BR>
>> causes the change in state. This creates a log out flow similar to<BR>
>> one I've created on a current project of mine where I have behavior<BR>
>> that could be described as single sign-on: the Sign Out link goes to<BR>
>> a page served from the authentication provider which explains that<BR>
>> this action will also end the session on all other sites in the<BR>
>> "network" and offers the user a chance to back out if that's not<BR>
>> what he wanted to do.<BR>
>><BR>
>> Also, without the RP periodically checking in with the OP this<BR>
>> doesn't seem to solve the problem: if I use the "Log Out" function<BR>
>> on one RP I get logged out of that RP and my OP but not any other<BR>
>> RPs I'm already logged in to. Doing some kind of call to the OP on<BR>
>> every request (or every few requests), much as is done with Facebook<BR>
>> Connect today, can solve this problem, but it creates new problems:<BR>
>><BR>
>> * The user experience on the RP may be impacted in a far worse way<BR>
>> if the OP is down or slow.<BR>
>><BR>
>> * It dramatically increases the amount of load an OP has to deal<BR>
>> with; many of today's OPs probably aren't scaled to deal with it.<BR>
>><BR>
>> * It will need to deal sensibly with the transition between one<BR>
>> identifier and another as well as the transition between logged out<BR>
>> and logged in and vice-versa. In Facebook's current implementation I<BR>
>> can attach multiple identifiers to my account, so this change in<BR>
>> identifier might also change the OP in use, requiring the RP to<BR>
>> check in with all of them.<BR>
>><BR>
>> _______________________________________________<BR>
>> general mailing list<BR>
>> <a href="general@openid.net">general@openid.net</a><BR>
>> <a href="http://openid.net/mailman/listinfo/general">http://openid.net/mailman/listinfo/general</a><BR>
><BR>
> _______________________________________________<BR>
> general mailing list<BR>
> <a href="general@openid.net">general@openid.net</a><BR>
> <a href="http://openid.net/mailman/listinfo/general">http://openid.net/mailman/listinfo/general</a><BR>
><BR>
><BR>
> _______________________________________________<BR>
> general mailing list<BR>
> <a href="general@openid.net">general@openid.net</a><BR>
> <a href="http://openid.net/mailman/listinfo/general">http://openid.net/mailman/listinfo/general</a><BR>
><BR>
><BR>
<BR>
<BR>
-----<BR>
<BR>
Santosh Rajan<BR>
<a href="http://santrajan.blogspot.com">http://santrajan.blogspot.com</a> <a href="http://santrajan.blogspot.com">http://santrajan.blogspot.com</a><BR>
--<BR>
View this message in context: <a href="http://www.nabble.com/Feedback-from-OpenID-demo-tp23674393p23748043.html">http://www.nabble.com/Feedback-from-OpenID-demo-tp23674393p23748043.html</a><BR>
Sent from the OpenID - General mailing list archive at Nabble.com.<BR>
<BR>
_______________________________________________<BR>
general mailing list<BR>
<a href="general@openid.net">general@openid.net</a><BR>
<a href="http://openid.net/mailman/listinfo/general">http://openid.net/mailman/listinfo/general</a><BR>
<BR>
</SPAN></FONT></BLOCKQUOTE>
</BODY>
</HTML>