Thank you George, John, William and Justin, Your responses are knowledgeable and extremely helpful.
You are a great team. Thanks again. Adrian Servenschi. On Thu, Jan 3, 2013 at 10:42 PM, George Fletcher <[email protected]> wrote: > There is no standardization of the logout flow in OAuth or OpenID (there > is in OpenID Connect as John mentioned) so your option 3... > > 3) The third option : displaying some informative text when the user sings > out from the application informing him that he/she signed out from our > application only, and not from Google/other identity provider, > seems to be the best option. > > is the best option right now. > > The problem is that as the application you don't know if the user signed > in with Google just to access your app, or if they already had gmail open. > In the first case it would be nice to sign the user out of Google since > they authenticated solely for the purpose of accessing your app. In the > second case you DON'T want to sign them out as that will kill their gmail > session which is probably not what the user (or your app) wants. > > So, informing the user that they are still logged in at Google is a good > choice. You might want to give the user the option to forgo the warning in > the future once they understand what is happening. > > Thanks, > George > > > On 1/2/13 4:25 PM, Adrian Servenschi wrote: > > Hi guys, > > I am working on implementing login/registration with common identity > providers into our application. > I am using Scribe for java library which implements the *OAuth* protocol. > > I've encountered what I consider a small security issue that I don't > know how to solve. > If I sign in into our application via let's say Google and then I sign > out, the Google session cookie remains active in the browser. > I can open Gmail afterwards in my browser and my inbox is displayed > without the need of authentication. > > Imagine that a user signs in to our application in an internet cafe, > then signs out and leaves the facility. > A different client comes at the same desk, opens Gmail and he/she sees the > inbox of the first person. > This can be a security hazard which I don't know how to solve. > I see only 3 options: > > 1) I can leave it like this --> hazardous > 2) If I use Google API to sign out the user from the Google when > performing Sign out from our application then the user will be signed out > from every Google application he has opened in his browser. > In addition I heard that the documentation for performing Sign Out via > various identity providers APIs is not quite clear. But this still needs to > be investigated. > > 3) The third option : displaying some informative text when the user > sings out from the application informing him that he/she signed out from > our application only, and not from Google/other identity provider, > seems to be the best option. > > I will highly appreciate if you can advise me regarding this issue. > Thank you very much in advance! > > Adrian Servenschi. > > P.S. This is what I found on Facebook Platform Policies page > http://developers.facebook.com/policy/ > <http://developers.facebook.com/policy/> > Your website must offer an explicit "Log Out" option that also logs the > user out of Facebook. > > So indeed a form of 3) option will be the best choice? > Looking forward to your advices and suggestions. > > _______________________________________________ > OAuth mailing [email protected]https://www.ietf.org/mailman/listinfo/oauth > > >
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
