<HTML>
<HEAD>
<TITLE>Re: [OpenID] Feedback from OpenID demo</TITLE>
</HEAD>
<BODY>
<FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'>Agreed, logout_immediate can be scary. I think it would be fine to start with just logout_setup – simpler is better after all. A provider that wants to aggressively log out can just redirect immediately if it wants to.<BR>
<BR>
<BR>
On 5/27/09 10:09 AM, "David Recordon" <<a href="david@sixapart.com">david@sixapart.com</a>> wrote:<BR>
<BR>
</SPAN></FONT><BLOCKQUOTE><FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'>I agree that logout_immediate seems a bit scary, if we already have a <BR>
challenge explaining to users what "always remember" means and will <BR>
do, having an OP also explain that the site could log them out is even <BR>
more complex. I think the equivalent of a logout_setup makes sense <BR>
especially when combined with a popup style UI.<BR>
<BR>
--David<BR>
<BR>
On May 26, 2009, at 6:03 PM, Martin Atkins wrote:<BR>
<BR>
> Bill Shupp wrote:<BR>
>> Obviously, #2 really highlighted #1. People thought that login <BR>
>> should be an explicit action, not automatic. When discussing #1, I <BR>
>> mentioned an idea that Luke Shepard shared this week at IIW, of <BR>
>> adding "logout_setup" and "logout_immediate" to the protocol. The <BR>
>> idea being that if you click logout on the RP, it could send a <BR>
>> "logout_setup" to the OP, which would trigger a popup asking if you <BR>
>> also want to logout of the OP as well. This idea got a pretty <BR>
>> favorable response, and seemed to satisfy some of those concerned <BR>
>> with the Single Sign Out issue. "logout_immediate" could behave <BR>
>> similar to "checkid_immediate", where the logout is performed <BR>
>> without user interaction, and might be favored by higher value RPs <BR>
>> like mint.com or the like. Obviously, there's room for RP abuse <BR>
>> here, though.<BR>
><BR>
> This logout_immediate thing makes me nervous for the reason you <BR>
> state at the end here. checkid_immediate doesn't actually change any <BR>
> state on my OP, it just inspects the state. logout_immediate *does* <BR>
> change state in on my OP from the context of my RP, which I don't <BR>
> like the sound of at all.<BR>
><BR>
> logout_setup is better because it is an interation at the OP that <BR>
> causes the change in state. This creates a log out flow similar to <BR>
> one I've created on a current project of mine where I have behavior <BR>
> that could be described as single sign-on: the Sign Out link goes to <BR>
> a page served from the authentication provider which explains that <BR>
> this action will also end the session on all other sites in the <BR>
> "network" and offers the user a chance to back out if that's not <BR>
> what he wanted to do.<BR>
><BR>
> Also, without the RP periodically checking in with the OP this <BR>
> doesn't seem to solve the problem: if I use the "Log Out" function <BR>
> on one RP I get logged out of that RP and my OP but not any other <BR>
> RPs I'm already logged in to. Doing some kind of call to the OP on <BR>
> every request (or every few requests), much as is done with Facebook <BR>
> Connect today, can solve this problem, but it creates new problems:<BR>
><BR>
> * The user experience on the RP may be impacted in a far worse way <BR>
> if the OP is down or slow.<BR>
><BR>
> * It dramatically increases the amount of load an OP has to deal <BR>
> with; many of today's OPs probably aren't scaled to deal with it.<BR>
><BR>
> * It will need to deal sensibly with the transition between one <BR>
> identifier and another as well as the transition between logged out <BR>
> and logged in and vice-versa. In Facebook's current implementation I <BR>
> can attach multiple identifiers to my account, so this change in <BR>
> identifier might also change the OP in use, requiring the RP to <BR>
> check in with all of them.<BR>
><BR>
> _______________________________________________<BR>
> general mailing list<BR>
> <a href="general@openid.net">general@openid.net</a><BR>
> <a href="http://openid.net/mailman/listinfo/general">http://openid.net/mailman/listinfo/general</a><BR>
<BR>
_______________________________________________<BR>
general mailing list<BR>
<a href="general@openid.net">general@openid.net</a><BR>
<a href="http://openid.net/mailman/listinfo/general">http://openid.net/mailman/listinfo/general</a><BR>
<BR>
</SPAN></FONT></BLOCKQUOTE>
</BODY>
</HTML>