-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
User Story: I want to sign out of all my apps immediately in the browser. #9
Comments
Is it fair to assume that what happens after the user clicks on "Sign out" in one of the apps, the user gets redirected to the IDP, which then later "Signs out" all of the apps by communication with them? Does the user also get "Signed out" of their IDP? |
Can you help me understand how this works with browsers that block third party cookies? How do we degrade (gracefully or not)? |
What would happen if the cookies were partitioned? |
Yes, and yes - they are signed out of the browser entirely. There is ** no trace** of the user identity in the browser after signout.
This does not work in browsers that block 3p cookies. Degradation occurs silently - the user just remains signed into the apps, and the IDP doesn't know that the signout at the app failed.
The application session cookies (the cookies the app is using to remember the sign in state) are partitioned {RP.example, RP.example}. The iframe request for signout to RP.example uses the cookie partition {idp.example, RP.example}. Because the application cookies are in a different partition from the one the app has access to in the signout request, the app is unable to delete those cookies. |
Discussed on 2021-12-10 fedidcg call |
User story
As a user, I want to sign out of all the apps where I have used my federated identity.
Context of the story
I am a shift work in a warehouse, and sign into a couple web apps on my shared device in order to do my job. When I am done with my shift, I click "Sign out" in the app, and give the device to my coworker. I expect to be entirely signed out so that my coworker does not accidentally or maliciously manipulate data connected to me.
Should this be considered sanctioned or unsanctioned tracking?
Sanctioned.
Explicit list of parties involved
Each application that the user has signed into.
The IDP.
The User.
Complicating characteristics
This relies on Front channel logout: fedidcg/protocol-library#10
Additional information
The IdP must contact each application that I have signed into, to tell them that I have signed out.
The text was updated successfully, but these errors were encountered: