OpenID Logout. I just need authentication not login to OpenID Provider.

Question

Started with this question: http://stackoverflow.com/questions/1385082/openid-how-do-you-logout

OK. So OpenID does not have single logout.
I can see the uses but there are some situations that worry me:

Single signon on is great for mobile devices and your personal computer.
You sign on once and probably never need to sign out again (just authenticating with new sites as you go).

But if I am on a public computer (airport, or even a work computer) this is a problem.

When I sign into a website using openID I am signing into two different places and that is not obvious. I sign-onto a website (stackoverflow for example using gmail account) but at the same time I have just signed into gmail (OpenID Provider).

When I sign out of stackoverflow I am still singed into gmail (OpenID Provider).

When I authenticate with gmail I don't want to login into gmail I just want to authenticate.

A hack around this is to have the logout flow log me out of gmail at the same time, but as noted on the last post, if I log out of stackoverflow I don't necessarily want to logout of gmail if I am at home.

So the question really is:
Is there a way to authenticate with these OpenID providers without logging on.

Because even sites like stack overflow, they do not log you out when you logout of the OpenID provider you authenticated with. If you have gmail account I can log in and out all day without affecting if stackoverflow is logged in.

Answer 1

If the protocol doesn't support it (and it doesn't) then there's nothing you can do here, aside from delete all your cookies once you're done, which would clear the cookie which logs you into your provider and the ones that log you into services.

As an aside an OpenID provider doesn't have to provide you with a persistent cookie, or even a session cookie which keeps you logged into your OpenID account, it could authenticate you once for itself, then sent the authentication token onwards. If you're worried about being logged into Gmail when you use OpenID then choose another OpenID provider.

But how is this a question?

Answer 2

People apparently fail to see the question in your question, so I repeat it here just for clarity (and with a question mark)

Is there a way to authenticate with these OpenID providers without logging on?

I believe that the answer to this question is "no" (as blowdart elaborates).

Answer 3

OpenID doesn't specify if provider should create a login session for themselves but almost all of them do. So there is no option to just authenticate RP without leaving a session in OP.

If you really want to authenticate without leaving a session, you can do it with other protocols. Just about every OP provides a proprietary protocol to login with username/password. For example, Google has ClientAuth and AOL has directLogin. This is so called password anti-pattern. It creates some privacy concerns because you collect Google password on your site. I am not recommending it in anyway.

Answer 4

The short answer is yes, in practice, by choosing a reasonable OpenID provider.

The long answer is that this is a question about your OpenID provider, not OpenID itself.

OpenID only handles authentication. Session support (and related concepts such as logging in or out) is outside of the OpenID spec.

Your OpenID provider may keep a session for you (probably with a browser cookie). Any reasonable provider will not do this unless you indicate ("remember me when logging into stackoverflow.com").

The OpenID consumer (such as StackOverflow) may keep a session for you as well. There is nothing you can do about this, but this is true for any authentication scheme, whether 3rd party or direct.

Because the 3rd-party aspects of OpenID are well designed, it is easy to avoid logging in in practice, by choosing a reasonable provider, or better yet, by using a HTML page as your claimed identity, which delegates to a provider which you can change if you decide to switch.