search

fedidcg / use-case-library

Other
11 stars 2 forks source link

User Story: I want to sign out of all my apps immediately in the browser. #9

Open hpsin opened 2 years ago

hpsin commented 2 years ago

User story

As a user, I want to sign out of all the apps where I have used my federated identity.

Context of the story

I am a shift work in a warehouse, and sign into a couple web apps on my shared device in order to do my job. When I am done with my shift, I click "Sign out" in the app, and give the device to my coworker. I expect to be entirely signed out so that my coworker does not accidentally or maliciously manipulate data connected to me.

Should this be considered sanctioned or unsanctioned tracking?

Sanctioned.

Explicit list of parties involved

Each application that the user has signed into. The IDP. The User.

Complicating characteristics

This relies on Front channel logout: https://github.com/fedidcg/protocol-library/issues/10

Additional information

The IdP must contact each application that I have signed into, to tell them that I have signed out.

samuelgoto commented 2 years ago

When I am done with my shift, I click "Sign out" in the app

Is it fair to assume that what happens after the user clicks on "Sign out" in one of the apps, the user gets redirected to the IDP, which then later "Signs out" all of the apps by communication with them? Does the user also get "Signed out" of their IDP?

samuelgoto commented 2 years ago

Can you help me understand how this works with browsers that block third party cookies? How do we degrade (gracefully or not)?

samuelgoto commented 2 years ago

What would happen if the cookies were partitioned?

hpsin commented 2 years ago

When I am done with my shift, I click "Sign out" in the app

Is it fair to assume that what happens after the user clicks on "Sign out" in one of the apps, the user gets redirected to the IDP, which then later "Signs out" all of the apps by communication with them? Does the user also get "Signed out" of their IDP?

Yes, and yes - they are signed out of the browser entirely. There is no trace of the user identity in the browser after signout.

Can you help me understand how this works with browsers that block third party cookies? How do we degrade (gracefully or not)?

This does not work in browsers that block 3p cookies. Degradation occurs silently - the user just remains signed into the apps, and the IDP doesn't know that the signout at the app failed.

What would happen if the cookies were partitioned?

The application session cookies (the cookies the app is using to remember the sign in state) are partitioned {RP.example, RP.example}. The iframe request for signout to RP.example uses the cookie partition {idp.example, RP.example}. Because the application cookies are in a different partition from the one the app has access to in the signout request, the app is unable to delete those cookies.

hlflanagan commented 2 years ago

Discussed on 2021-12-10 fedidcg call