Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to add logout feature to an OpenID enabled site?

Tags:

openid

logout

I have recently added OpenID login to my website. But I don't know how to add the logout feature.

For example, on clicking the Sign In button I am able to show the login form of the selected OpenID provider, for example Google Account. However, I don't know how to implement a Sign Out button to sign out of the Google Account.

Please advice.

like image 931
Madhu Avatar asked Dec 28 '09 10:12

Madhu


People also ask

How does OIDC logout work?

Logout works by directing the user's browser to the end-session endpoint of the OpenID Connect provider, with the logout request parameters encoded in the URL query string. The identity of the user to logout is specified by their ID token (obtained at login), set in the id_token_hint parameter.

What is Rp initiated logout?

An RP requests that the OP log out the End-User by redirecting the End-User's User Agent to the OP's Logout Endpoint. This URL is normally obtained via the end_session_endpoint element of the OP's Discovery response or may be learned via other mechanisms.

What is backchannel logout?

OpenID Connect Backchannel logout is a mechanism by which Relying Party (RP) applications are logged out with logout requests communicated directly between RPs and OpenID Providers (OP) bypassing the User Agent.


4 Answers

Individual OpenID providers offer different URLs for logout to which the user can be redirected.

Google: https://www.google.com/accounts/Logout

Yahoo: https://login.yahoo.com/config/login?logout=1

There has been discussion of allowing OPs to provide these URLs as a part of the standard; see this discussion on the OpenID mailing list.

like image 71
Charles Duffy Avatar answered Nov 09 '22 09:11

Charles Duffy


OpenID relying party can't log user out of OP, you can only implement local logout. Just like RP can not log user into OP.

like image 38
Michael Krelin - hacker Avatar answered Nov 09 '22 08:11

Michael Krelin - hacker


I think you're mixing paradigms (hate that word, but can't think of a better one to use just now). Your login link sends the user to their OpenID provider for authentication, but it's not the user logging in to their Google account that's the important bit, it's logging in to your website, by providing credentials via OpenID. The user may well already be logged in to their OpenID provider; you don't (can't) know and don't have to care.

Similarly, the logout link on your site should log the user out of your site only, returning them to the same state as before they clicked the login button. The user might have logged out of their OpenID provider already; you neither know nor care. This site is a good example :).

like image 29
Andrew Aylett Avatar answered Nov 09 '22 09:11

Andrew Aylett


Just destroy the session.

like image 38
troelskn Avatar answered Nov 09 '22 10:11

troelskn