<HTML>
<HEAD>
<TITLE>Re: [OpenID] Feedback from OpenID demo</TITLE>
</HEAD>
<BODY>
<FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'>I think innovation around the logout experience will be an important piece of fallout from defining logout_setup. Your suggestion is intriguing, I’d like to see how users respond. In our user testing for Facebook Connect, we found that even the choice of “logout” or “cancel” was too much and confused users; my hunch is that too many variables will be bad. But I would love to enable a competitive marketplace where that can be born out. <BR>
<BR>
It would also be worth noting that it’s acceptable to show the logout ui in an iframe, rather than a popup – because it involves no user credentials being entered. It could be full screen as well. I think the UX/popup extension would be appropriate here as well.<BR>
<BR>
<BR>
On 5/27/09 5:53 PM, "Bill Shupp" <<a href="hostmaster@shupp.org">hostmaster@shupp.org</a>> wrote:<BR>
<BR>
</SPAN></FONT><BLOCKQUOTE><FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'>On May 27, 2009, at 11:22 AM, Luke Shepard wrote:<BR>
<BR>
</SPAN></FONT><BLOCKQUOTE><FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'> Actually, I think that we can accomplish most useful use cases using just logout_setup.<BR>
<BR>
An OP can choose to redirect back immediately if it doesn’t want to have user interaction. For example, suppose you go to blogger.com and are signed in with your google account. If you click “logout”, then you are redirected to a www.google.com <<a href="http://www.google.com">http://www.google.com</a>> url, which clears your cookies, and then immediately directs you back. However, if Google wanted to, it could choose to require some user action. So I like logout_setup because it leaves it at the discretion of the provider (and ultimately, the user who chooses their provider).<BR>
<BR>
</SPAN></FONT></BLOCKQUOTE><FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'><BR>
This is an interesting idea, leaving the user interaction decision in the hands of the OP, not the RP. The issue have is the possibility that the user might think they have logged out of *all* RPs with this action. If the OP decides to not interact with the end user, it might reinforce this perception.<BR>
<BR>
What if the OP (interacting with the end user in a popup from a logout_setup call, for example), in addition to showing the "do you want to log out of OP x as well?" dialog, also showed a list of recently authenticated RPs as a reminder of where else they might want to log out of? For example, "You just logged out of RP x. You recently logged into RPs y and z as well, don't forget to log out of those too". myOpenID shows you an activity log when logged in to their site, and this is the same idea, just presented differently, and in a logout context, but still from the OP.<BR>
<BR>
Regards,<BR>
<BR>
Bill<BR>
<BR>
</SPAN></FONT></BLOCKQUOTE>
</BODY>
</HTML>