Re: [OAUTH-WG] need advice on sign out after performing sign in via OAuth 10x
William Mills <wmills_92105@yahoo.com> Thu, 03 January 2013 17:54 UTC
Return-Path: <wmills_92105@yahoo.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 21FA421F8C08 for <oauth@ietfa.amsl.com>; Thu, 3 Jan 2013 09:54:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.001
X-Spam-Level:
X-Spam-Status: No, score=0.001 tagged_above=-999 required=5 tests=[HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7WjrMHpkm2Bl for <oauth@ietfa.amsl.com>; Thu, 3 Jan 2013 09:54:20 -0800 (PST)
Received: from nm24-vm0.bullet.mail.bf1.yahoo.com (nm24-vm0.bullet.mail.bf1.yahoo.com [98.139.213.161]) by ietfa.amsl.com (Postfix) with ESMTP id E174721F86AA for <oauth@ietf.org>; Thu, 3 Jan 2013 09:54:19 -0800 (PST)
Received: from [98.139.214.32] by nm24.bullet.mail.bf1.yahoo.com with NNFMP; 03 Jan 2013 17:54:18 -0000
Received: from [98.139.212.249] by tm15.bullet.mail.bf1.yahoo.com with NNFMP; 03 Jan 2013 17:54:18 -0000
Received: from [127.0.0.1] by omp1058.mail.bf1.yahoo.com with NNFMP; 03 Jan 2013 17:54:18 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 884567.70199.bm@omp1058.mail.bf1.yahoo.com
Received: (qmail 55406 invoked by uid 60001); 3 Jan 2013 17:54:18 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1357235658; bh=m1aqzxkMzbdyMfTCr+jYRvgP+IqqqAp8nRJruD3SUCM=; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=RU+9WEOb6hiVZbTKb51qtGdhvtmH0k3eoFdcKxGe70D7EGIefKeT+b1XY17YsHRZwbaEWSMR60pp6oM7XwOusrA9WiVoyZ+KvfsKdXwP04fpQ4cXL8+gqFYpw84S5H29knL9Z8NaC5UkX3POTvo1aifc3z9Zudo2S9IsNM72Bss=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=woBTrL53gF4VSzhC+2at3coKsjixayaG7kTyIkow1Tml9sHsu6d+luqin2CqEju6s8uRMLKr8oZGfie6980Fn/ixWQM8k6FyxOuWwMNYlyNZSRJKT9LoIe8ZjDDiyNQJYg7TkWvxr0hlU5jf3jc/SzX7r9XX7fGJmT+wH7XA6tE=;
X-YMail-OSG: OhyRR6kVM1mMTwhLYDpkN3XGPG5IPV4DZsG12v36KBztMhJ Y5zcZsFzXH09DM2667X9z6m.k9TFtPqU.dETrx4_9jvel7GQMbfWGf7Gkn94 zxlznNhpwd6Vhv2QSro4I4ahRzNfF6LiH_dQ3NqowYR6gamXPPPOhEZPrI_h s7W4KtoPLPHKnz4Grbz4cAQfIcJFMMF6V0UUczDrNt72d09Mhc9.Ei7xULjg Phchdczp91nbScy6kRDFr4bsDiX85yeDcYZ6JlM5j7c67V.ZjiChzCkEC2L4 AA38AGE.S8412eNoP3ctnu7l1ip1bnJhkiGwuq76tO6i5l0XBNG3op5tuOof MR1WtttNpnrMbfcbyOdcdF1N4FhNAKQTj2MQRXUWOPrVMhQl9bM_BygsszOi zWFtzcWsHpEwywnDPTvQl1HHwBCo9_YFprF3Dmi7QLlcQQf0V8xCF0lg3PbP 4vwVuD8dC6OFtN_cDnEJG0yL8oPUF0eGrGB0.f1D6T61S0FE65igievfPsrc .P54snIXv9_rXaIe4_FXJTRHgn27AT6h1Zh.Ww2RH5FSaGGb9YfUGPQ.I5eh rkcwLoldQLboxdlDZ_9O2PgKa36EwdysFirzUjkZOzxW8JlvPrBMJ4fb1aHB FEXeNbblIlTgF9bLqHHuqm8rgwek7wA--
Received: from [209.131.62.115] by web31812.mail.mud.yahoo.com via HTTP; Thu, 03 Jan 2013 09:54:17 PST
X-Rocket-MIMEInfo: 001.001, RG9uJ3QgdXNlIE9BdXRoLCB1c2UgT3BlbklELiDCoE9BdXRoIGlzbid0IGRlc2lnbmVkIGZvciBhdXRoZW50aWNhdGlvbiBhbmQgT3BlbklEIGlzLgoKCl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fCiBGcm9tOiBBZHJpYW4gU2VydmVuc2NoaSA8YWRyaWFuQGM0bWVkaWEuY29tPgpUbzogb2F1dGhAaWV0Zi5vcmcgClNlbnQ6IFdlZG5lc2RheSwgSmFudWFyeSAyLCAyMDEzIDE6MjUgUE0KU3ViamVjdDogW09BVVRILVdHXSBuZWVkIGFkdmljZSBvbiBzaWduIG91dCBhZnRlciBwZXJmb3JtaW5nIHMBMAEBAQE-
X-Mailer: YahooMailWebService/0.8.130.494
References: <CAJWC9xN0JJhT0g38BGHPXehNYaZC7XOn=7few2Ey_K=qaLSphQ@mail.gmail.com>
Message-ID: <1357235657.53898.YahooMailNeo@web31812.mail.mud.yahoo.com>
Date: Thu, 03 Jan 2013 09:54:17 -0800
From: William Mills <wmills_92105@yahoo.com>
To: Adrian Servenschi <adrian@c4media.com>, "oauth@ietf.org" <oauth@ietf.org>
In-Reply-To: <CAJWC9xN0JJhT0g38BGHPXehNYaZC7XOn=7few2Ey_K=qaLSphQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="1458549034-1234052338-1357235657=:53898"
Subject: Re: [OAUTH-WG] need advice on sign out after performing sign in via OAuth 10x
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: William Mills <wmills_92105@yahoo.com>
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Jan 2013 17:54:21 -0000
Don't use OAuth, use OpenID. OAuth isn't designed for authentication and OpenID is. ________________________________ From: Adrian Servenschi <adrian@c4media.com> To: oauth@ietf.org Sent: Wednesday, January 2, 2013 1:25 PM Subject: [OAUTH-WG] need advice on sign out after performing sign in via OAuth 10x Hi guys, I am working on implementing login/registration with common identity providers into our application. I am using Scribe for java library which implements the OAuth protocol. I've encountered what I consider a small security issue that I don't know how to solve. If I sign in into our application via let's say Google and then I sign out, the Google session cookie remains active in the browser. I can open Gmail afterwards in my browser and my inbox is displayed without the need of authentication. Imagine that a user signs in to our application in an internet cafe, then signs out and leaves the facility. A different client comes at the same desk, opens Gmail and he/she sees the inbox of the first person. This can be a security hazard which I don't know how to solve. I see only 3 options: 1) I can leave it like this --> hazardous 2) If I use Google API to sign out the user from the Google when performing Sign out from our application then the user will be signed out from every Google application he has opened in his browser. In addition I heard that the documentation for performing Sign Out via various identity providers APIs is not quite clear. But this still needs to be investigated. 3) The third option : displaying some informative text when the user sings out from the application informing him that he/she signed out from our application only, and not from Google/other identity provider, seems to be the best option. I will highly appreciate if you can advise me regarding this issue. Thank you very much in advance! Adrian Servenschi. P.S. This is what I found on Facebook Platform Policies page http://developers.facebook.com/policy/ Your website must offer an explicit "Log Out" option that also logs the user out of Facebook. So indeed a form of 3) option will be the best choice? Looking forward to your advices and suggestions. _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] need advice on sign out after performi… Adrian Servenschi
- Re: [OAUTH-WG] need advice on sign out after perf… Justin Richer
- Re: [OAUTH-WG] need advice on sign out after perf… William Mills
- Re: [OAUTH-WG] need advice on sign out after perf… John Bradley
- Re: [OAUTH-WG] need advice on sign out after perf… George Fletcher
- Re: [OAUTH-WG] need advice on sign out after perf… Adrian Servenschi