I have recently added OpenID login to my website. But I don't know how to add the logout feature.
For example, on clicking the Sign In button I am able to show the login form of the selected OpenID provider, for example Google Account. However, I don't know how to implement a Sign Out button to sign out of the Google Account.
Please advice.
Logout works by directing the user's browser to the end-session endpoint of the OpenID Connect provider, with the logout request parameters encoded in the URL query string. The identity of the user to logout is specified by their ID token (obtained at login), set in the id_token_hint parameter.
An RP requests that the OP log out the End-User by redirecting the End-User's User Agent to the OP's Logout Endpoint. This URL is normally obtained via the end_session_endpoint element of the OP's Discovery response or may be learned via other mechanisms.
OpenID Connect Backchannel logout is a mechanism by which Relying Party (RP) applications are logged out with logout requests communicated directly between RPs and OpenID Providers (OP) bypassing the User Agent.
Individual OpenID providers offer different URLs for logout to which the user can be redirected.
Google: https://www.google.com/accounts/Logout
Yahoo: https://login.yahoo.com/config/login?logout=1
There has been discussion of allowing OPs to provide these URLs as a part of the standard; see this discussion on the OpenID mailing list.
OpenID relying party can't log user out of OP, you can only implement local logout. Just like RP can not log user into OP.
I think you're mixing paradigms (hate that word, but can't think of a better one to use just now). Your login link sends the user to their OpenID provider for authentication, but it's not the user logging in to their Google account that's the important bit, it's logging in to your website, by providing credentials via OpenID. The user may well already be logged in to their OpenID provider; you don't (can't) know and don't have to care.
Similarly, the logout link on your site should log the user out of your site only, returning them to the same state as before they clicked the login button. The user might have logged out of their OpenID provider already; you neither know nor care. This site is a good example :).
Just destroy the session.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With