[security] Logout
John Bradley
ve7jtb at ve7jtb.com
Fri May 6 13:42:44 UTC 2011
the proposal is to have a light weight way for the RP to check if the user is still logged in to there IdP.
If the user loges out of there IdP the RP should terminate the session, the next time they check for status.
There will also be a redirect flow to the IdP that will present a IdP controlled logout screen.
RP won't be able to force logout from the IdP or other RP.
They will have a way to send a user back to the IdP so that they can logout if they want to.
John B.
On 2011-05-06, at 3:50 AM, Jacob Bellamy wrote:
> Hi,
>
> Are we talking about here some mechanism for RPs to specify a time at which the user's session with their OP should expire? If they could then a RP could potentially pick a short expirey time that negatively affects the user's use of OpenID. The user is also unlikely to know the reason as to why their sessions are timing out so fast, and would likely think it is a problem with the provider. Or have I misunderstood the question?
>
> - Jacob.
> _______________________________________________
> security mailing list
> security at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-security
More information about the security
mailing list