How to add logout feature to an OpenID enabled site?
https://stackoverflow.com/questions/1968814
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian문제
I have recently added OpenID login to my website. But I don't know how to add the logout feature.
For example, on clicking the Sign In button I am able to show the login form of the selected OpenID provider, for example Google Account. However, I don't know how to implement a Sign Out button to sign out of the Google Account.
Please advice.
해결책
OpenID relying party can't log user out of OP, you can only implement local logout. Just like RP can not log user into OP.
다른 팁
Individual OpenID providers offer different URLs for logout to which the user can be redirected.
Google: https://www.google.com/accounts/Logout
Yahoo: https://login.yahoo.com/config/login?logout=1
There has been discussion of allowing OPs to provide these URLs as a part of the standard; see this discussion on the OpenID mailing list.
I think you're mixing paradigms (hate that word, but can't think of a better one to use just now). Your login link sends the user to their OpenID provider for authentication, but it's not the user logging in to their Google account that's the important bit, it's logging in to your website, by providing credentials via OpenID. The user may well already be logged in to their OpenID provider; you don't (can't) know and don't have to care.
Similarly, the logout link on your site should log the user out of your site only, returning them to the same state as before they clicked the login button. The user might have logged out of their OpenID provider already; you neither know nor care. This site is a good example :).
Just destroy the session.
You can only implement local logout for OpenID. As Charles Duffy said you can always use specific urls but that is provided the user is using a provider that you know the logout url for. That can be fustrating if your user discover that all his google accounts are logged out when they logout of your website.
The other way of looking at the problem is whether you want to ensure the the person logging into your website always needs to key in his password, instead of just logging in when he is already logged in to an openid provider.
This (IMHO) provides better security if they are using it from a public terminal. This will ensure that the user who is logging in always needs to revalidate his password.
To do that its actually quite simple, just use the PAPE extention
openid.ns.pape = "http://specs.openid.net/extensions/pape/1.0".
openid.pape.max_auth_age = 0
as part of the URL when you are logging into a OpenID provider.
More information here http://code.google.com/apis/accounts/docs/OpenID.html
Below is one trick by which i can logout from Google:
<iframe id="myIFrame" src="" style='display:none;' >
function logOutGoogle(){
document.getElementById('myIFrame').src='https://www.google.com/accounts/Logout';
timeOut();
}
I'm doing my project and stuck in the logout problem I don't know how to do that like you I have solved by reset all of the cookie because i don't know the cookie that set the logging in status i need to know it.
you must have created some session variables after successful verification from openid provider, you just need to destroy those session variables. You cannot destroy the session that is created by the openid provider.
Here is trustworthy solution for logging out of Google and your RP.
Just call this URI
it will logout of google and redirect back to your app. Thanks!
Soon I will post my logout solution for windows live and facebook.com STS.
