Re: [OAUTH-WG] need advice on sign out after performing sign in via OAuth 10x
George Fletcher <gffletch@aol.com> Thu, 03 January 2013 20:42 UTC
Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E61C21F8D8D for <oauth@ietfa.amsl.com>; Thu, 3 Jan 2013 12:42:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CHdSFmls9XCF for <oauth@ietfa.amsl.com>; Thu, 3 Jan 2013 12:42:53 -0800 (PST)
Received: from imr-mb01.mx.aol.com (imr-mb01.mx.aol.com [64.12.207.164]) by ietfa.amsl.com (Postfix) with ESMTP id E889C21F8D03 for <oauth@ietf.org>; Thu, 3 Jan 2013 12:42:52 -0800 (PST)
Received: from mtaout-ma04.r1000.mx.aol.com (mtaout-ma04.r1000.mx.aol.com [172.29.41.4]) by imr-mb01.mx.aol.com (Outbound Mail Relay) with ESMTP id 5C5651C00018C; Thu, 3 Jan 2013 15:42:52 -0500 (EST)
Received: from palantir.office.aol.com (palantir.office.aol.com [10.181.186.254]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mtaout-ma04.r1000.mx.aol.com (MUA/Third Party Client Interface) with ESMTPSA id D3204E000384; Thu, 3 Jan 2013 15:42:51 -0500 (EST)
Message-ID: <50E5ED4B.5070000@aol.com>
Date: Thu, 03 Jan 2013 15:42:51 -0500
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:17.0) Gecko/17.0 Thunderbird/17.0
MIME-Version: 1.0
To: Adrian Servenschi <adrian@c4media.com>
References: <CAJWC9xN0JJhT0g38BGHPXehNYaZC7XOn=7few2Ey_K=qaLSphQ@mail.gmail.com>
In-Reply-To: <CAJWC9xN0JJhT0g38BGHPXehNYaZC7XOn=7few2Ey_K=qaLSphQ@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------070106020901020708070609"
x-aol-global-disposition: G
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mx.aol.com; s=20121107; t=1357245772; bh=9D8GnpmjQY1oau+67gF49Vz7Jup5Hp+zoDm4Q8YMpZ4=; h=From:To:Subject:Message-ID:Date:MIME-Version:Content-Type; b=DuYHx5/o8erG5x4edhB2VMk4hA1t8bAZe6cLgxLtBQ8VUePgTz3dKbpFzgz3O5+Co IZ76BI2AdiV9l/PTtVOERskWl3thRYGJuTuj/h07FBNJYDO7j436b/Mjpli07i8z/Z 7GUtHGWQjOU8V0ROQ1EDTLW7pbgyTUa0zrhGE9Do=
X-AOL-SCOLL-SCORE: 0:2:466427328:93952408
X-AOL-SCOLL-URL_COUNT: 0
x-aol-sid: 3039ac1d290450e5ed4b192c
X-AOL-IP: 10.181.186.254
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] need advice on sign out after performing sign in via OAuth 10x
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Jan 2013 20:42:54 -0000
There is no standardization of the logout flow in OAuth or OpenID (there
is in OpenID Connect as John mentioned) so your option 3...
3) The third option : displaying some informative text when the user
sings out from the application informing him that he/she signed out
from our application only, and not from Google/other identity provider,
seems to be the best option.
is the best option right now.
The problem is that as the application you don't know if the user signed
in with Google just to access your app, or if they already had gmail
open. In the first case it would be nice to sign the user out of Google
since they authenticated solely for the purpose of accessing your app.
In the second case you DON'T want to sign them out as that will kill
their gmail session which is probably not what the user (or your app) wants.
So, informing the user that they are still logged in at Google is a good
choice. You might want to give the user the option to forgo the warning
in the future once they understand what is happening.
Thanks,
George
On 1/2/13 4:25 PM, Adrian Servenschi wrote:
> Hi guys,
>
> I am working on implementing login/registration with common identity
> providers into our application.
> I am using Scribe for java library which implements the *OAuth* protocol.
>
> I've encountered what I consider a small security issue that I don't
> know how to solve.
> If I sign in into our application via let's say Google and then I sign
> out, the Google session cookie remains active in the browser.
> I can open Gmail afterwards in my browser and my inbox is displayed
> without the need of authentication.
>
> Imagine that a user signs in to our application in an internet cafe,
> then signs out and leaves the facility.
> A different client comes at the same desk, opens Gmail and he/she sees
> the inbox of the first person.
> This can be a security hazard which I don't know how to solve.
> I see only 3 options:
>
> 1) I can leave it like this --> hazardous
> 2) If I use Google API to sign out the user from the Google when
> performing Sign out from our application then the user will be signed
> out from every Google application he has opened in his browser.
> In addition I heard that the documentation for performing Sign Out via
> various identity providers APIs is not quite clear. But this still
> needs to be investigated.
>
> 3) The third option : displaying some informative text when the user
> sings out from the application informing him that he/she signed out
> from our application only, and not from Google/other identity provider,
> seems to be the best option.
>
> I will highly appreciate if you can advise me regarding this issue.
> Thank you very much in advance!
>
> Adrian Servenschi.
>
> P.S. This is what I found on Facebook Platform Policies page
> http://developers.facebook.com/policy/
> <http://developers.facebook.com/policy/>
> Your website must offer an explicit "Log Out" option that also logs
> the user out of Facebook.
>
> So indeed a form of 3) option will be the best choice?
> Looking forward to your advices and suggestions.
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] need advice on sign out after performi… Adrian Servenschi
- Re: [OAUTH-WG] need advice on sign out after perf… Justin Richer
- Re: [OAUTH-WG] need advice on sign out after perf… William Mills
- Re: [OAUTH-WG] need advice on sign out after perf… John Bradley
- Re: [OAUTH-WG] need advice on sign out after perf… George Fletcher
- Re: [OAUTH-WG] need advice on sign out after perf… Adrian Servenschi