[OAUTH-WG] need advice on sign out after performing sign in via OAuth 10x

Adrian Servenschi <adrian@c4media.com> Wed, 02 January 2013 21:25 UTC

Return-Path: <adrian@c4media.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 726F821F8584 for <oauth@ietfa.amsl.com>; Wed, 2 Jan 2013 13:25:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.117
X-Spam-Status: No, score=-1.117 tagged_above=-999 required=5 tests=[BAYES_20=-0.74, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id pz4Y6XHHv8w8 for <oauth@ietfa.amsl.com>; Wed, 2 Jan 2013 13:25:58 -0800 (PST)
Received: from mail-ob0-f181.google.com (mail-ob0-f181.google.com []) by ietfa.amsl.com (Postfix) with ESMTP id 96A1521F854B for <oauth@ietf.org>; Wed, 2 Jan 2013 13:25:58 -0800 (PST)
Received: by mail-ob0-f181.google.com with SMTP id oi10so12921875obb.40 for <oauth@ietf.org>; Wed, 02 Jan 2013 13:25:58 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type :x-gm-message-state; bh=fbEhvooo7ZiYl/BP3TjqVKDkUa26k078hp1TW3Z5y88=; b=dDPk55xFkvc2nqcloWN/7xOAuHw6cUFqQNjR+4at+mG7qa8r9dv4vTHJR3LDj+GsyD UJ18DXQ0gAuHSpEd1GU9J8y+bx8ITHSxAAOTPAhmZuDH47agfMPkqVJHHxUWKjrZANMn S+hcmw6Iqug3B7sI1jMfEAXQLhQOJAvCA9udpDXFTAf2b4/bXrZHg4+th/AG0OpnBN5b dJfpW4v0v2kZdJdRrk3zSID8x1njjYFMr+mggOVPbxQCKsNTHA32YYQ82MMShp1Y+VsD kkKfU9GwhjVHU3aLkhz6/ZBcS18RRH/Q7H96yLiD7eGiC23H9lrNo6qki/XtGwcmW25b 2TXg==
MIME-Version: 1.0
Received: by with SMTP id ag15mr25853471oec.120.1357161958028; Wed, 02 Jan 2013 13:25:58 -0800 (PST)
Received: by with HTTP; Wed, 2 Jan 2013 13:25:57 -0800 (PST)
Date: Wed, 02 Jan 2013 23:25:57 +0200
Message-ID: <CAJWC9xN0JJhT0g38BGHPXehNYaZC7XOn=7few2Ey_K=qaLSphQ@mail.gmail.com>
From: Adrian Servenschi <adrian@c4media.com>
To: oauth@ietf.org
Content-Type: multipart/alternative; boundary="bcaec550afdc69373904d254e465"
X-Gm-Message-State: ALoCoQlD7/XMDnw8JNprYZZ4w5veiODZwcIW3VJ6glVHY1S0HzG5uqjDjJw5+OKxi+lulhIlx2NT
X-Mailman-Approved-At: Thu, 03 Jan 2013 08:57:29 -0800
Subject: [OAUTH-WG] need advice on sign out after performing sign in via OAuth 10x
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Jan 2013 21:27:03 -0000

Hi guys,

I am working on implementing login/registration with common identity
providers into our application.
I am using Scribe for java library which implements the *OAuth* protocol.

I've encountered what I consider a small security issue that I don't know
how to solve.
If I sign in into our application via let's say Google and then I sign out,
the Google session cookie remains active in the browser.
I can open Gmail afterwards in my browser and my inbox is displayed without
the need of authentication.

Imagine that a user signs in to our application in an internet cafe, then
signs out and leaves the facility.
A different client comes at the same desk, opens Gmail and he/she sees the
inbox of the first person.
This can be a security hazard which I don't know how to solve.
I see only 3 options:

1) I can leave it like this --> hazardous
2) If I use Google API to sign out the user from the Google when performing
Sign out from our application then the user will be signed out from every
Google application he has opened in his browser.
In addition I heard that the documentation for performing Sign Out via
various identity providers APIs is not quite clear. But this still needs to
be investigated.

3) The third option : displaying some informative text when the user sings
out from the application informing him that he/she signed out from our
application only, and not from Google/other identity provider,
seems to be the best option.

I will highly appreciate if you can advise me regarding this issue.
Thank you very much in advance!

Adrian Servenschi.

P.S. This is what I found on Facebook Platform Policies page
http://developers.facebook.com/policy/ <http://developers.facebook.com/policy/>
Your website must offer an explicit "Log Out" option that also logs the
user out of Facebook.

So indeed a form of 3) option will be the best choice?
Looking forward to your advices and suggestions.