Reputation: 7533
When I sign out with the OpenId Provider, I remain authenticated with the RP
I've got a very simple DotNetOpenAuth implementation working for my MVC4 site (Google only).
The trouble is, if I (1) log in to my site using Google and then (2) log out of Google, I still remain authenticated on my site.
Is this by design? I'm new to OpenId so I'm a bit confused. Surely users will expect that if they sign out of Google that will end all their associated OpenId sessions?
Upvotes: 0
Views: 341
Answers (1)
Reputation: 1106
Is this by design?
Yes.
It would cause havoc for websites if other websites could just go and alter their session states when a user logs out of gmail (in this example). What if you were half way through executing a DB/SQL update script that requires the user_id from your session, and all of a sudden it's not there because the user just logged out of the gmail account? You'd have scripts falling over all over the place. Or what if they have 2 gmail accounts and log out of one account to check their mail in the other account. Bam, their logged out of all other sites. I think not :-)
When a user "logs in" onto a site using a 3rd party credential provider, it is still their responsibility to log out of both sites if they want to.
Upvotes: 2
Related Questions
- Single sign-out in ASP.NET Core OpenID Connect
- Sign out from OIDC client not working with IdentityServer4
- IdentityServer4 as external provider, how to avoid logout prompt?
- Logging Out With AspNet.Security.OpenIdConnect.Server (ASP.NET vNext)
- OpenID security: RPs don't ensure that auth was approved by the actual provider
- Authenticating through OpenId without signing user into the provider's site
- How to logout from Relying Party?
- Force users to re-authenticate in OpenId using DotNetOpenAuth
- How do I reset dotnetauth on the open id providers' sides?
- Unable to logoout of openID RPXnow