On a website I have implemented the login using OpenID (based on StackOverflow).
But I can't seem to logout.
On my host I can logout but when the user tries to login again (especially with google) the authentication goes through without requiring the user to type in name and password.
How can I indicate to the OpenID Provider that a user is no longer logged into the site?
That's generally something handled by the OpenID provider - for instance, if the user remains logged into their Google account and checked the box to "remember" the OpenID authorization for your particular site, then the provider will transparently log them in and redirect them back without displaying the login prompt.
OpenID authenticates users to your site, when then starts a session on your site. You destroy or invalidate your site's session separately from the user's session with their OpenID provider.
User visits joewidgets.com > User logs in with OpenID (with a new or existing provider session) > ... User clicks logout > joewidgets.com destroys/invalidates the session.
If the user has their OpenID provider keep them logged in, and your system automatically checks, then it will create a new local session. (Un)fortunately, you don't/can't worry about what the user does or does not do at their provider, which is a pro/con of OpenID.
There is an argument at Social Lipstick which calls for "Single Sign-Out", but OpenID does not currently provide this function.
This is called Single Logout or Single Sign-Out, which OpenID doesn't support. In my opinion, SSO without logout is a big security hole. Logging out a single site doesn't mean much if others can just get in with a few clicks.
For now, we have to remember the provider. If it's someone we know, we trigger the logout process for them. For Google, the URL is,
https://www.google.com/accounts/Logout
The logout flow is ugly but it does the job.
"It's a feature not a bug"
The id provider can choose to keep the user authorized for the provider through cookies, and further can choose not to re prompt the user about sharing the same information that was shared previously (with a prompt). So when the user on Site A, asked to be authorized through Site B, and got redirected, Site B first asked for the user to authenticate him or her self. Then Site B asked if it should share any information (and sometimes which information) with Site A. At this point it will also customarily ask if you want to automatically share this same information in the future. Some providers will assume yes, some no, some won't ask. Site B then redirects to Site A and shares the information, you're now logged in.
If Site A makes a second redirection to Site B to request a login, Site B might 1) Already have a cookie that authenticates the current user of Site B. 2) Already have a record of what information is acceptable to share with Site B. 3) Automatically share this information through a redirect without pausing to prompt the user at all.
This is a feature centered around convenience.