Re: [OAUTH-WG] need advice on sign out after performing sign in via OAuth 10x
Adrian Servenschi <adrian@c4media.com> Tue, 08 January 2013 00:24 UTC
Return-Path: <adrian@c4media.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B484A21F87D6 for <oauth@ietfa.amsl.com>; Mon, 7 Jan 2013 16:24:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.976
X-Spam-Level:
X-Spam-Status: No, score=-2.976 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SNpodysuh5wM for <oauth@ietfa.amsl.com>; Mon, 7 Jan 2013 16:24:55 -0800 (PST)
Received: from mail-oa0-f41.google.com (mail-oa0-f41.google.com [209.85.219.41]) by ietfa.amsl.com (Postfix) with ESMTP id 8214421F86F7 for <oauth@ietf.org>; Mon, 7 Jan 2013 16:24:55 -0800 (PST)
Received: by mail-oa0-f41.google.com with SMTP id k14so18982583oag.14 for <oauth@ietf.org>; Mon, 07 Jan 2013 16:24:54 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:x-gm-message-state; bh=jI5E9SKxMnpyg+iEwKteYEFoNkMSBAcf3SoekKbsRUI=; b=gsmfKB9tXLtwjBQvsqf+Oea6mBOVPQIUKSYSIgfyxl4arUHZh772/gYpoQXtR5CkUa DzT7RcNnYkfFeYuVVCc8IMWytPnsZumZaLYRvgtHHkLMEFYXbAZ7brb1pT7KCD/IPE2Q eL/PEGTdzLk4rPGSX5H8y2yCItFeUp3YV8zoJ9eB/+h9TqaZLy2sBpoTnQjb3duvvrDq X1/CQOcsXFAO/LxQodIJri6mSaDBpMons9VPLQkjiZT0z/qaaqmj4tet+FmvhTL2XyZL kwPspp/MDhiaA/Thfu3GWGV5mxlamKfQxm60KkmHzy9AUirWNzIoUMriuqw2yGsm9+WF 9JAQ==
MIME-Version: 1.0
Received: by 10.182.42.97 with SMTP id n1mr43758489obl.91.1357604694523; Mon, 07 Jan 2013 16:24:54 -0800 (PST)
Received: by 10.60.40.232 with HTTP; Mon, 7 Jan 2013 16:24:54 -0800 (PST)
In-Reply-To: <50E5ED4B.5070000@aol.com>
References: <CAJWC9xN0JJhT0g38BGHPXehNYaZC7XOn=7few2Ey_K=qaLSphQ@mail.gmail.com> <50E5ED4B.5070000@aol.com>
Date: Tue, 08 Jan 2013 02:24:54 +0200
Message-ID: <CAJWC9xP3G4QerF8L-EUxH+9ipq3sXX5SeHuNJcWc0JeqWWc_7w@mail.gmail.com>
From: Adrian Servenschi <adrian@c4media.com>
To: George Fletcher <gffletch@aol.com>
Content-Type: multipart/alternative; boundary="14dae93998eb8fff0a04d2bbf999"
X-Gm-Message-State: ALoCoQlnxR1vSpg+BHqw9o+/uqpVlgWGqHX3IRRlMRdd7SNfBHhLnPZcBdof7APR0oWVdN+idIf9
X-Mailman-Approved-At: Wed, 09 Jan 2013 09:04:08 -0800
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] need advice on sign out after performing sign in via OAuth 10x
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Jan 2013 00:24:56 -0000
Thank you George, John, William and Justin, Your responses are knowledgeable and extremely helpful. You are a great team. Thanks again. Adrian Servenschi. On Thu, Jan 3, 2013 at 10:42 PM, George Fletcher <gffletch@aol.com> wrote: > There is no standardization of the logout flow in OAuth or OpenID (there > is in OpenID Connect as John mentioned) so your option 3... > > 3) The third option : displaying some informative text when the user sings > out from the application informing him that he/she signed out from our > application only, and not from Google/other identity provider, > seems to be the best option. > > is the best option right now. > > The problem is that as the application you don't know if the user signed > in with Google just to access your app, or if they already had gmail open. > In the first case it would be nice to sign the user out of Google since > they authenticated solely for the purpose of accessing your app. In the > second case you DON'T want to sign them out as that will kill their gmail > session which is probably not what the user (or your app) wants. > > So, informing the user that they are still logged in at Google is a good > choice. You might want to give the user the option to forgo the warning in > the future once they understand what is happening. > > Thanks, > George > > > On 1/2/13 4:25 PM, Adrian Servenschi wrote: > > Hi guys, > > I am working on implementing login/registration with common identity > providers into our application. > I am using Scribe for java library which implements the *OAuth* protocol. > > I've encountered what I consider a small security issue that I don't > know how to solve. > If I sign in into our application via let's say Google and then I sign > out, the Google session cookie remains active in the browser. > I can open Gmail afterwards in my browser and my inbox is displayed > without the need of authentication. > > Imagine that a user signs in to our application in an internet cafe, > then signs out and leaves the facility. > A different client comes at the same desk, opens Gmail and he/she sees the > inbox of the first person. > This can be a security hazard which I don't know how to solve. > I see only 3 options: > > 1) I can leave it like this --> hazardous > 2) If I use Google API to sign out the user from the Google when > performing Sign out from our application then the user will be signed out > from every Google application he has opened in his browser. > In addition I heard that the documentation for performing Sign Out via > various identity providers APIs is not quite clear. But this still needs to > be investigated. > > 3) The third option : displaying some informative text when the user > sings out from the application informing him that he/she signed out from > our application only, and not from Google/other identity provider, > seems to be the best option. > > I will highly appreciate if you can advise me regarding this issue. > Thank you very much in advance! > > Adrian Servenschi. > > P.S. This is what I found on Facebook Platform Policies page > http://developers.facebook.com/policy/ <http://developers.facebook.com/policy/> > Your website must offer an explicit "Log Out" option that also logs the > user out of Facebook. > > So indeed a form of 3) option will be the best choice? > Looking forward to your advices and suggestions. > > _______________________________________________ > OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth > > >
- [OAUTH-WG] need advice on sign out after performi… Adrian Servenschi
- Re: [OAUTH-WG] need advice on sign out after perf… Justin Richer
- Re: [OAUTH-WG] need advice on sign out after perf… William Mills
- Re: [OAUTH-WG] need advice on sign out after perf… John Bradley
- Re: [OAUTH-WG] need advice on sign out after perf… George Fletcher
- Re: [OAUTH-WG] need advice on sign out after perf… Adrian Servenschi