My idea is ...

Provide a logout ability or only authenticate with provider

This is one of the major security flaws I have found in the OpenID platform. Users are not properly informed that they are (not with all providers) being logged into their OpenID providers site as well.

The session for the site they originally logged into is controlled separately from the provider. This leaves their main account open to be abused.

6 votes
Vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    I agree to the terms of service
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    Charlie FrancisCharlie Francis shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

    1 comment

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      I agree to the terms of service
      Signed in as (Sign out)
      Submitting...
      • Chris MessinaAdminChris Messina (Admin, OpenID) commented  ·   ·  Flag as inappropriate

        Well, it's not that simple of a problem, and has been raised on the mailing list.

        For example, if Google is your OpenID provider and you sign out of Google, should you also be signed out of YouTube (for just one example)? Some people may want that; others may not.

        It's also a lot harder to push a notification that the "user signed out" to other sites and make sure that the process completes successfully... For example, you know if your login attempt worked because you're either logged in to the immediate site you're on or you're not. If you're signed in to 10 sites, do you really want to visit each site to confirm? Or worse, *wait* for each site to return a message that confirms that you've signed out?

        It isn't that this isn't a valid idea — it's one that has been discussed at length:

        https://wiki.openid.net/f/OpenID%20Logout.pdf

        It's just that implementing it is not only not part of the current OpenID protocol, but it's also something that has a difficult user experience to get right.

      Feedback and Knowledge Base