My idea is ...

← Ideas

Provide a logout ability or only authenticate with provider

This is one of the major security flaws I have found in the OpenID platform. Users are not properly informed that they are (not with all providers) being logged into their OpenID providers site as well.

The session for the site they originally logged into is controlled separately from the provider. This leaves their main account open to be abused.

6 votes
Vote
Sign in
(thinking…)
Sign in with: Facebook Google
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close
You have left! (?) (thinking…)
Charlie Francis shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

1 comment

Sign in
(thinking…)
Sign in with: Facebook Google
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • AdminChris Messina (Admin, OpenID) commented  ·   ·  Flag as inappropriate

    Well, it's not that simple of a problem, and has been raised on the mailing list.

    For example, if Google is your OpenID provider and you sign out of Google, should you also be signed out of YouTube (for just one example)? Some people may want that; others may not.

    It's also a lot harder to push a notification that the "user signed out" to other sites and make sure that the process completes successfully... For example, you know if your login attempt worked because you're either logged in to the immediate site you're on or you're not. If you're signed in to 10 sites, do you really want to visit each site to confirm? Or worse, *wait* for each site to return a message that confirms that you've signed out?

    It isn't that this isn't a valid idea — it's one that has been discussed at length:

    https://wiki.openid.net/f/OpenID%20Logout.pdf

    It's just that implementing it is not only not part of the current OpenID protocol, but it's also something that has a difficult user experience to get right.

Ideas

Feedback and Knowledge Base

(thinking…)