Shade,<div><br></div><div>I don't understand how you can use an OP to log into an RP without the OP being aware that it's sending that assertion. If one can assume the asserting OP knows which RP it's going to (which it must IMO) then the RP ought to be able to send a message to the OP (via an iframe in the RP site directing the user to an openid single-log-out endpoint) so the OP can send various iframes to log the user out of each RP that that same OP has logged the user into.</div>
<div><br clear="all">--<br>Andrew Arnott<br>"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre<br>
<br><br><div class="gmail_quote">On Wed, Sep 30, 2009 at 8:53 AM, SitG Admin <span dir="ltr"><<a href="mailto:sysadmin@shadowsinthegarden.com">sysadmin@shadowsinthegarden.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
What worries me in general about single-logout is that the user may have multiple OP's with which they're signed in to a given RP, and not want to have any party *except for that RP* aware that these OP's (or the URI's they vouch for) are associated.<div class="im">
<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
The OP sending an iframe that logs the user agent out of all the RPs sounds cool, and simpler than the OAuth idea.<br>
</blockquote>
<br></div>
Better have some code in that iframe to detect if the user can't currently connect to a RP for logout, and either keep trying or present an error announcing that it couldn't be done.<br>
<br>
Using just a single OAuth SP minimizes this risk, but what if you *still* can't connect? Ask the RP's to send an occasional "keep-alive" ping to the SP (via the user) so it can have the authentication time out? That's a lot of pings if the user is hopping around multiple sites, none of which knows that the user was recently active on another. It's also "hand-holding", and imperils the user's session with RP's if the OAuth SP ever experiences downtime :(<br>
<br>
-Shade<br>
</blockquote></div><br></div>