Don't use OAuth, use OpenID. OAuth isn't designed for authentication and
OpenID is.
________________________________
From: Adrian Servenschi <[email protected]>
To: [email protected]
Sent: Wednesday, January 2, 2013 1:25 PM
Subject: [OAUTH-WG] need advice on sign out after performing sign in via OAuth
10x
Hi guys,
I am working on implementing login/registration with common identity providers
into our application.
I am using Scribe for java library which implements the OAuth protocol.
I've encountered what I consider a small security issue that I don't know how
to solve.
If I sign in into our application via let's say Google and then I sign out, the
Google session cookie remains active in the browser.
I can open Gmail afterwards in my browser and my inbox is displayed without the
need of authentication.
Imagine that a user signs in to our application in an internet cafe, then signs
out and leaves the facility.
A different client comes at the same desk, opens Gmail and he/she sees the
inbox of the first person.
This can be a security hazard which I don't know how to solve.
I see only 3 options:
1) I can leave it like this --> hazardous
2) If I use Google API to sign out the user from the Google when performing
Sign out from our application then the user will be signed out from every
Google application he has opened in his browser.
In addition I heard that the documentation for performing Sign Out via various
identity providers APIs is not quite clear. But this still needs to be
investigated.
3) The third option : displaying some informative text when the user sings out
from the application informing him that he/she signed out from our application
only, and not from Google/other identity provider,
seems to be the best option.
I will highly appreciate if you can advise me regarding this issue.
Thank you very much in advance!
Adrian Servenschi.
P.S. This is what I found on Facebook Platform Policies page
http://developers.facebook.com/policy/
Your website must offer an explicit "Log Out" option that also logs the user
out of Facebook.
So indeed a form of 3) option will be the best choice?
Looking forward to your advices and suggestions.
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
