Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

OpenID. How do you logout

Tags:

php

web-services

openid

logout

On a website I have implemented the login using OpenID (based on StackOverflow).

But I can't seem to logout.
On my host I can logout but when the user tries to login again (especially with google) the authentication goes through without requiring the user to type in name and password.

How can I indicate to the OpenID Provider that a user is no longer logged into the site?

like image 540
Martin York Avatar asked Sep 06 '09 07:09

Martin York

People also ask

How does OIDC logout work?

The OIDC Back Channel Logout v1. 0 spec defines an alternate mechanism for communicating logout requests to all RPs that have established sessions with an OP. This mechanism relies upon direct communication of such requests between OP and RPs — bypassing the User-Agent.

Is OpenID app harmful?

OpenID itself is secure, however due to its decentralised nature it often assumes that three servers are "trusted". If these servers are not trustworthy then your security is gone.

What is single logout?

Single Logout (SLO) is a feature in federated authentication where end users can sign out of both their Okta session and a configured application with a single action. Okta supports this sign out process only when initiated by a Service Provider (SP). The SP sends the SLO request to Okta to end the Okta session.

2 Answers

OpenID authenticates users to your site, when then starts a session on your site. You destroy or invalidate your site's session separately from the user's session with their OpenID provider.

User visits joewidgets.com > User logs in with OpenID (with a new or existing provider session) > ... User clicks logout > joewidgets.com destroys/invalidates the session.

If the user has their OpenID provider keep them logged in, and your system automatically checks, then it will create a new local session. (Un)fortunately, you don't/can't worry about what the user does or does not do at their provider, which is a pro/con of OpenID.

There is an argument at Social Lipstick which calls for "Single Sign-Out", but OpenID does not currently provide this function.

like image 182
arbales Avatar answered Oct 20 '22 03:10

arbales

This is called Single Logout or Single Sign-Out, which OpenID doesn't support. In my opinion, SSO without logout is a big security hole. Logging out a single site doesn't mean much if others can just get in with a few clicks.

For now, we have to remember the provider. If it's someone we know, we trigger the logout process for them. For Google, the URL is,

https://www.google.com/accounts/Logout

The logout flow is ugly but it does the job.

like image 33
ZZ Coder Avatar answered Oct 20 '22 02:10

ZZ Coder
Sign in to Comment

Related questions

Secure XSS cleaning function (updated regularly)
Designing service layer classes in PHP
Escaping user input from database necessary?
Unique record mysql on inserts
How can I access class constants using `self::` inside an anonymous function defined in a method?
Best practice for HTML head in PHP
Write to file with register_shutdown_function
is there any PHP function for open page in new tab
Mustache Partials in PHP - How do I use them?
How to use the PHP interactive shell
MySQL, how to insert null dates
Private composer packages - no valid composer.json was found
Bitcoin address form validation JavaScript and PHP
'mysqldump' is not recognized as an internal or external command
Have a WordPress page with same title as custom post type “front” slug
How to configure apache web server to deploy laravel 5
Understanding fetch_assoc()
Cannot select where ip=inet_pton($ip)
What is acceptable memory usage for a PHP page? [closed]
Work-around for PHP5's PDO rowCount MySQL issue

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!