25

I have recently added OpenID login to my website. But I don't know how to add the logout feature.

For example, on clicking the Sign In button I am able to show the login form of the selected OpenID provider, for example Google Account. However, I don't know how to implement a Sign Out button to sign out of the Google Account.

Please advice.

Madhu
  • 1,176
  • 1
  • 13
  • 18

9 Answers9

39

Individual OpenID providers offer different URLs for logout to which the user can be redirected.

Google: https://www.google.com/accounts/Logout

Yahoo: https://login.yahoo.com/config/login?logout=1

There has been discussion of allowing OPs to provide these URLs as a part of the standard; see this discussion on the OpenID mailing list.

Charles Duffy
  • 280,126
  • 43
  • 390
  • 441
  • 8
    I would guess that those URLs will stop accepting GET requests for logging out pretty soon. It's far from fun when any random site can log you out off all google services (and other services authenticated by google) just by getting your browser to do a GET request (e.g. embed image on a page, iframe, redirect). That URL should provide a confirmation page that contains a POST submit button and CSRF protection. – Mikko Rantalainen Jan 31 '12 at 11:31
  • 2
    @MikkoRantalainen well, after >2 years, those are still working fine. – Olli Feb 11 '14 at 12:27
  • I have implemented OpenID for Google and Yahoo, logout will work like a charm by an Jquery `ajax` request to the above logout addresses. I don't know it is correct or not, but for our agile process it is good solution yet :), it may better to use Iframe!!. – Aria Apr 24 '15 at 07:24
  • OpenID Connect does provide single logout using 3 approaches. One part of its "Session Management Specs", front channel (HTTP-based) and back channel approach – Leo Jun 01 '19 at 06:38
13

OpenID relying party can't log user out of OP, you can only implement local logout. Just like RP can not log user into OP.

Michael Krelin - hacker
  • 138,757
  • 24
  • 193
  • 173
5

I think you're mixing paradigms (hate that word, but can't think of a better one to use just now). Your login link sends the user to their OpenID provider for authentication, but it's not the user logging in to their Google account that's the important bit, it's logging in to your website, by providing credentials via OpenID. The user may well already be logged in to their OpenID provider; you don't (can't) know and don't have to care.

Similarly, the logout link on your site should log the user out of your site only, returning them to the same state as before they clicked the login button. The user might have logged out of their OpenID provider already; you neither know nor care. This site is a good example :).

Andrew Aylett
  • 39,182
  • 5
  • 68
  • 95
  • If the two paradigms are 1) kill session and 2) logout from identity provider, then IMHO users expect the second when they hit logout. What user cares about the server's session? They want to ensure that someone can't get on their computer, click on your site, and create a new session without explicitly re-authenticating. In this, I don't agree with SO's approach to logout. Perhaps the "logout" term is no longer valid for web sites using SSO in favor of ??? single-logout? – s_t_e_v_e Aug 13 '13 at 15:31
1

Just destroy the session.

troelskn
  • 115,121
  • 27
  • 131
  • 155
1

You can only implement local logout for OpenID. As Charles Duffy said you can always use specific urls but that is provided the user is using a provider that you know the logout url for. That can be fustrating if your user discover that all his google accounts are logged out when they logout of your website.

The other way of looking at the problem is whether you want to ensure the the person logging into your website always needs to key in his password, instead of just logging in when he is already logged in to an openid provider.

This (IMHO) provides better security if they are using it from a public terminal. This will ensure that the user who is logging in always needs to revalidate his password.

To do that its actually quite simple, just use the PAPE extention openid.ns.pape = "http://specs.openid.net/extensions/pape/1.0".
openid.pape.max_auth_age = 0

as part of the URL when you are logging into a OpenID provider.

More information here http://code.google.com/apis/accounts/docs/OpenID.html

Stephen Lee
  • 63
  • 4
  • 1
    At least once, I've gotten a business requirement to cause a user to log out of everywhere when they logged out of my website -- if for no other reason, because that's how Facebook's single-sign-on works. Just because it's inconvenient and annoying doesn't mean it isn't "desired" behavior. *sigh*. – Charles Duffy Jun 23 '11 at 06:01
1

Below is one trick by which i can logout from Google:

<iframe id="myIFrame" src="" style='display:none;' > 
 function logOutGoogle(){
     document.getElementById('myIFrame').src='https://www.google.com/accounts/Logout';
     timeOut();
 }
canadian_scholar
  • 1,315
  • 12
  • 26
Anjeet
  • 11
  • 1
0

I'm doing my project and stuck in the logout problem I don't know how to do that like you I have solved by reset all of the cookie because i don't know the cookie that set the logging in status i need to know it.

  • I think that clearing all the cookies would log out the user of all the websites he has logged in say Google, Yahoo!, Facebook, etc. Not sure whether I am correct. Can you plz post the code? – Madhu Dec 30 '09 at 18:55
0

you must have created some session variables after successful verification from openid provider, you just need to destroy those session variables. You cannot destroy the session that is created by the openid provider.

Gaurav Sharma
  • 2,830
  • 1
  • 37
  • 54
-1

Here is trustworthy solution for logging out of Google and your RP.

Just call this URI

https://www.google.com/accounts/Logout?continue=https://appengine.google.com/_ah/logout?continue=https://www.yourapp.com

it will logout of google and redirect back to your app. Thanks!

Soon I will post my logout solution for windows live and facebook.com STS.

Gurvinder Singh
  • 24
  • 2