Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

User Story: I want to sign out of all my apps immediately in the browser. #9

Open
hpsin opened this issue Oct 26, 2021 · 5 comments
Open

User Story: I want to sign out of all my apps immediately in the browser. #9

hpsin opened this issue Oct 26, 2021 · 5 comments

Comments

@hpsin
Copy link

hpsin commented Oct 26, 2021

User story

As a user, I want to sign out of all the apps where I have used my federated identity.

Context of the story

I am a shift work in a warehouse, and sign into a couple web apps on my shared device in order to do my job. When I am done with my shift, I click "Sign out" in the app, and give the device to my coworker. I expect to be entirely signed out so that my coworker does not accidentally or maliciously manipulate data connected to me.

Should this be considered sanctioned or unsanctioned tracking?

Sanctioned.

Explicit list of parties involved

Each application that the user has signed into.
The IDP.
The User.

Complicating characteristics

This relies on Front channel logout: fedidcg/protocol-library#10

Additional information

The IdP must contact each application that I have signed into, to tell them that I have signed out.
@samuelgoto
Copy link

samuelgoto commented Dec 10, 2021
edited
Loading

When I am done with my shift, I click "Sign out" in the app

Is it fair to assume that what happens after the user clicks on "Sign out" in one of the apps, the user gets redirected to the IDP, which then later "Signs out" all of the apps by communication with them? Does the user also get "Signed out" of their IDP?

@samuelgoto
Copy link

samuelgoto commented Dec 10, 2021
edited
Loading

Can you help me understand how this works with browsers that block third party cookies? How do we degrade (gracefully or not)?

@samuelgoto
Copy link

What would happen if the cookies were partitioned?

@hpsin
Copy link
Author

hpsin commented Dec 10, 2021
edited
Loading

When I am done with my shift, I click "Sign out" in the app

Is it fair to assume that what happens after the user clicks on "Sign out" in one of the apps, the user gets redirected to the IDP, which then later "Signs out" all of the apps by communication with them? Does the user also get "Signed out" of their IDP?

Yes, and yes - they are signed out of the browser entirely. There is ** no trace** of the user identity in the browser after signout.

Can you help me understand how this works with browsers that block third party cookies? How do we degrade (gracefully or not)?

This does not work in browsers that block 3p cookies. Degradation occurs silently - the user just remains signed into the apps, and the IDP doesn't know that the signout at the app failed.

What would happen if the cookies were partitioned?

The application session cookies (the cookies the app is using to remember the sign in state) are partitioned {RP.example, RP.example}. The iframe request for signout to RP.example uses the cookie partition {idp.example, RP.example}. Because the application cookies are in a different partition from the one the app has access to in the signout request, the app is unable to delete those cookies.

@hlflanagan
Copy link
Contributor

Discussed on 2021-12-10 fedidcg call

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@samuelgoto @hpsin @hlflanagan