OpenID best implementation practices?
Martin Atkins
mart at degeneration.co.uk
Sun Jan 1 15:43:45 UTC 2006
Johannes Ernst wrote:
>
> 2) is there a "best practice" for single sign-OUT (not -IN). It is
> relatively straightforward to keep track of all the Relying Parties at
> which I have authenticated during the current session, but other than
> visiting each of them manually and looking for the OpenID Logout button
> on each of them, can I automate this from one big button "log out
> everywhere"?
>
OpenID does not have a concept of "session". A successful OpenID
authentication says "at this instant, I verify that the user is
http://frank.livejournal.com/"; it is up to the consumer to decide what
assumptions to make about that.
Most consumer site implementations create some kind of "session" to
track the user after the OpenID authentication step. The user must
explicitly log out at each site using the site-specific mechanism provided.
More information about the yadis
mailing list