Provide a logout ability or only authenticate with provider
This is one of the major security flaws I have found in the OpenID platform. Users are not properly informed that they are (not with all providers) being logged into their OpenID providers site as well.
The session for the site they originally logged into is controlled separately from the provider. This leaves their main account open to be abused.
Charlie Francis
shared this idea
-
AdminChris Messina
(Admin, OpenID)
commented
Well, it's not that simple of a problem, and has been raised on the mailing list.
For example, if Google is your OpenID provider and you sign out of Google, should you also be signed out of YouTube (for just one example)? Some people may want that; others may not.
It's also a lot harder to push a notification that the "user signed out" to other sites and make sure that the process completes successfully... For example, you know if your login attempt worked because you're either logged in to the immediate site you're on or you're not. If you're signed in to 10 sites, do you really want to visit each site to confirm? Or worse, *wait* for each site to return a message that confirms that you've signed out?
It isn't that this isn't a valid idea — it's one that has been discussed at length:
https://wiki.openid.net/f/OpenID%20Logout.pdf
It's just that implementing it is not only not part of the current OpenID protocol, but it's also something that has a difficult user experience to get right.