How to logout from Relying Party ?

views:

179

answers:

How to logout from Relying Party ?

I am using Dotnetopenid for login.

I am logs in my application by using dotnetopenid provider suppose google.

At the time of logout I am ending the my application user's session by FormsAuthentication.SignOut(); but if I am not closing the browser and logs in using google it will not ask me for id-password and land me on secured page of my apllication.

Also, if i will try gmail.com it will directly lands me user account without asking id-password.

So how could I logout completely from my application and google too ?

thanks in advance

+1 A:

I think you are mistaking the Relying Party and the OpenID Provider. Using StackOverflow as an example, SO is the Relying Party and other sites (e.g. Google) are the OpenID Provider(s).

The Relying Party (e.g. SO) has no say in when the OpenID Provider (e.g. Google) chooses to "forget" the user for their own purposes.

EDIT: I was not familiar with the PAPE extension. However, if I understand correctly, it does not provide a way for the RP to say to the OP, "On your end, forget this user's authentication", which is what I think rehan wants. It just provides a way for the RP to demand another authentication for the RP's purposes.

I still see no way for (e.g.) SO to log a Google user out of Gmail after SO logs them out.

Matthew Flaschen 2009-06-22 10:04:14

Matt, actually the RP *does* have some influence over whether an OP re-authenticates the user via the PAPE extension: http://openid.net/specs/openid-provider-authentication-policy-extension-1_0.html#anchor8

Andrew Arnott 2009-06-22 14:17:39

Hi, Mattew I have corrected my question.Now give me reply for the question.

2009-06-22 14:45:21

Hi Matthew and Andrew, Means its not possible to logout from OpenID Provider(e.g. Google) from my application(RP). I am hoping there must be any workaround.

2009-06-23 07:11:33

It means DotnetOpenId or DotnetOpenauth api(s) does not have any signout/logout method from the OP. Am I correct or wrong ?

2009-06-23 09:51:59

Yes, I believe that is correct, because OpenID itself does not provide for this.

Matthew Flaschen 2009-06-23 16:18:46

Some people are saying about logout_immediate & logout_setup. but not explained and implement very well where to use. Is any body has idea about it?

2009-06-24 14:09:50

Rehan, you should "add comment" to someone else's answer or comment if you're responding to their question on StackOverflow rather than posting an answer to your question that is no answer at all. :)

Andrew Arnott 2009-06-25 13:29:45

It sounds like what you're looking for is a Logout feature that will allow the relying party to also log the user out of the Provider at the same time.

DotNetOpenId doesn't offer this feature because OpenID itself doesn't have this feature in its spec. There's simply no way to do it right now. The OpenID community have had conversations about spec'ing out such a feature, but so far it's not there. If and when OpenID adds such a feature to its spec, DotNetOpenId will add support for it.

Andrew Arnott 2009-06-25 13:31:29

Thanks for the clear answer. If OpenID have not such feature but I want to implement forcefully logout, is there any workaround? Many website saying about short term cookie, but how I implement this.

2009-06-25 13:52:55

No kind of cookie at the RP will help you log the user out of the OP. One workaround would be to recognize the OP Endpoint of the OP the user logged in with and have a lookup table that translates that to a URL you can redirect the user to force logout at the OP. For example http://google.com/signout

Andrew Arnott 2009-06-25 14:22:20

i had the same issue. So tried this.....when i logged out of my website which uses dotnetopenid, i also made a call to the following gmail logout link https://mail.google.com/mail/?logout&hl=en. This logged me out of gmail also.

2010-08-17 19:22:24

ansaurus

tags:

views:

answers:

How to logout from Relying Party ?

related questions