On a website I have implemented the login using OpenID (based on StackOverflow).
But I can't seem to logout.
On my host I can logout but when the user tries to login again (especially with google) the authentication goes through without requiring the user to type in name and password.
How can I indicate to the OpenID Provider that a user is no longer logged into the site?
The OIDC Back Channel Logout v1. 0 spec defines an alternate mechanism for communicating logout requests to all RPs that have established sessions with an OP. This mechanism relies upon direct communication of such requests between OP and RPs — bypassing the User-Agent.
OpenID itself is secure, however due to its decentralised nature it often assumes that three servers are "trusted". If these servers are not trustworthy then your security is gone.
Single Logout (SLO) is a feature in federated authentication where end users can sign out of both their Okta session and a configured application with a single action. Okta supports this sign out process only when initiated by a Service Provider (SP). The SP sends the SLO request to Okta to end the Okta session.
OpenID authenticates users to your site, when then starts a session on your site. You destroy or invalidate your site's session separately from the user's session with their OpenID provider.
User visits joewidgets.com > User logs in with OpenID (with a new or existing provider session) > ... User clicks logout > joewidgets.com destroys/invalidates the session.
If the user has their OpenID provider keep them logged in, and your system automatically checks, then it will create a new local session. (Un)fortunately, you don't/can't worry about what the user does or does not do at their provider, which is a pro/con of OpenID.
There is an argument at Social Lipstick which calls for "Single Sign-Out", but OpenID does not currently provide this function.
This is called Single Logout or Single Sign-Out, which OpenID doesn't support. In my opinion, SSO without logout is a big security hole. Logging out a single site doesn't mean much if others can just get in with a few clicks.
For now, we have to remember the provider. If it's someone we know, we trigger the logout process for them. For Google, the URL is,
https://www.google.com/accounts/Logout
The logout flow is ugly but it does the job.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With