IETF Logo Mail Archive

Re: [OAUTH-WG] need advice on sign out after performing sign in via OAuth 10x

John Bradley <ve7jtb@ve7jtb.com> Thu, 03 January 2013 18:02 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DBA5A21F8521 for <oauth@ietfa.amsl.com>; Thu, 3 Jan 2013 10:02:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.999
X-Spam-Level:
X-Spam-Status: No, score=-0.999 tagged_above=-999 required=5 tests=[HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3C6t03m5AG21 for <oauth@ietfa.amsl.com>; Thu, 3 Jan 2013 10:02:00 -0800 (PST)
Received: from mail-ob0-f182.google.com (mail-ob0-f182.google.com [209.85.214.182]) by ietfa.amsl.com (Postfix) with ESMTP id 65CAB21F8518 for <oauth@ietf.org>; Thu, 3 Jan 2013 10:01:54 -0800 (PST)
Received: by mail-ob0-f182.google.com with SMTP id 16so14094227obc.13 for <oauth@ietf.org>; Thu, 03 Jan 2013 10:01:53 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:content-type:mime-version:subject:from:in-reply-to:date :cc:message-id:references:to:x-mailer:x-gm-message-state; bh=kdxAR6qsWGteqAzPGeFK2RXjLof4D9JYAzoUCYU3x1Q=; b=YNQjPUJpxSYDKp8DtMwXo2AsPInLp0TzN6LOpwlWJQZm6OZTawO/iIiz8iuO20RBg+ IXsDEBVR1UVn9g+weNhzcGvJaDYNwVOuz8zuFw5pYR7E43YjNWbKnrsc93gx0lUN6z0P tQFR3EEy6c55N2cD5sV++sssoWgzj6yhAmIwXyYRwsZWySmLUfV2lTvYqbYgdM/ESEbe n+fEBka/dgZ+GsI3RGYh/iutJsZScYcznJv1/BOeZfWrGfQqJPpHUlce9ZliqKDNmI3f 8wEMHiFjgw92em0XIGE7QL++9wpj/CliwEj3axc2zaKCsApK41Lx5hiT3KMRipKoEqRt l6Dw==
X-Received: by 10.60.171.133 with SMTP id au5mr28138681oec.90.1357236113831; Thu, 03 Jan 2013 10:01:53 -0800 (PST)
Received: from [192.168.1.211] (190-20-6-196.baf.movistar.cl. [190.20.6.196]) by mx.google.com with ESMTPS id el2sm31851837obc.9.2013.01.03.10.01.50 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 03 Jan 2013 10:01:52 -0800 (PST)
Content-Type: multipart/alternative; boundary="Apple-Mail=_ED3963B9-CFCC-46F9-8358-87B8AE3EC00E"
Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <CAJWC9xN0JJhT0g38BGHPXehNYaZC7XOn=7few2Ey_K=qaLSphQ@mail.gmail.com>
Date: Thu, 03 Jan 2013 15:01:43 -0300
Message-Id: <C23FC770-D7E0-47D7-9B17-CE6EA29D2315@ve7jtb.com>
References: <CAJWC9xN0JJhT0g38BGHPXehNYaZC7XOn=7few2Ey_K=qaLSphQ@mail.gmail.com>
To: Adrian Servenschi <adrian@c4media.com>
X-Mailer: Apple Mail (2.1499)
X-Gm-Message-State: ALoCoQmph/vdbvsQQ6NIn6lNok4DRuMUv7TgGQimivSjcpqmR2fpkGsf0POGHaNpXJYy2S50Bnxo
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] need advice on sign out after performing sign in via OAuth 10x
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Jan 2013 18:02:01 -0000

It sounds like your issue is logging the user out of the IdP.   There are several non interoperable ways of doing that in SAML.

That is out of scope for OAuth itself.

In the open internet the issue tends to be that IdP  don't want to be accepting logout messages from RP that terminate the users session without confirmation of the user.  

In openID Connect we are doing some things with session management where a RP can redirect a user to the IdP to terminate sessions, however that is optional for the IdP to implement.

For the moment you will have to deal with each IdP separately if you want to try and kill idP sessions when the user logged out of your RP.

John B.

On 2013-01-02, at 6:25 PM, Adrian Servenschi <adrian@c4media.com> wrote:

> Hi guys,
> 
> I am working on implementing login/registration with common identity providers into our application.
> I am using Scribe for java library which implements the OAuth protocol.
> 
> I've encountered what I consider a small security issue that I don't know how to solve.
> If I sign in into our application via let's say Google and then I sign out, the Google session cookie remains active in the browser.
> I can open Gmail afterwards in my browser and my inbox is displayed without the need of authentication.
> 
> Imagine that a user signs in to our application in an internet cafe, then signs out and leaves the facility.
> A different client comes at the same desk, opens Gmail and he/she sees the inbox of the first person.
> This can be a security hazard which I don't know how to solve. 
> I see only 3 options:
> 
> 1) I can leave it like this --> hazardous
> 2) If I use Google API to sign out the user from the Google when performing Sign out from our application then the user will be signed out from every Google application he has opened in his browser.
> In addition I heard that the documentation for performing Sign Out via various identity providers APIs is not quite clear. But this still needs to be investigated.
> 
> 3) The third option : displaying some informative text when the user sings out from the application informing him that he/she signed out from our application only, and not from Google/other identity provider,
> seems to be the best option.
> 
> I will highly appreciate if you can advise me regarding this issue.
> Thank you very much in advance!
> 
> Adrian Servenschi.    
> 
> P.S. This is what I found on Facebook Platform Policies page http://developers.facebook.com/policy/ 
> Your website must offer an explicit "Log Out" option that also logs the user out of Facebook.
> 
> So indeed a form of 3) option will be the best choice?
> Looking forward to your advices and suggestions. _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email