Open hpsin opened 3 years ago
When I am done with my shift, I click "Sign out" in the app
Is it fair to assume that what happens after the user clicks on "Sign out" in one of the apps, the user gets redirected to the IDP, which then later "Signs out" all of the apps by communication with them? Does the user also get "Signed out" of their IDP?
Can you help me understand how this works with browsers that block third party cookies? How do we degrade (gracefully or not)?
What would happen if the cookies were partitioned?
When I am done with my shift, I click "Sign out" in the app
Is it fair to assume that what happens after the user clicks on "Sign out" in one of the apps, the user gets redirected to the IDP, which then later "Signs out" all of the apps by communication with them? Does the user also get "Signed out" of their IDP?
Yes, and yes - they are signed out of the browser entirely. There is no trace of the user identity in the browser after signout.
Can you help me understand how this works with browsers that block third party cookies? How do we degrade (gracefully or not)?
This does not work in browsers that block 3p cookies. Degradation occurs silently - the user just remains signed into the apps, and the IDP doesn't know that the signout at the app failed.
What would happen if the cookies were partitioned?
The application session cookies (the cookies the app is using to remember the sign in state) are partitioned {RP.example, RP.example}. The iframe request for signout to RP.example uses the cookie partition {idp.example, RP.example}. Because the application cookies are in a different partition from the one the app has access to in the signout request, the app is unable to delete those cookies.
Discussed on 2021-12-10 fedidcg call
User story
As a user, I want to sign out of all the apps where I have used my federated identity.
Context of the story
I am a shift work in a warehouse, and sign into a couple web apps on my shared device in order to do my job. When I am done with my shift, I click "Sign out" in the app, and give the device to my coworker. I expect to be entirely signed out so that my coworker does not accidentally or maliciously manipulate data connected to me.
Should this be considered sanctioned or unsanctioned tracking?
Sanctioned.
Explicit list of parties involved
Each application that the user has signed into. The IDP. The User.
Complicating characteristics
This relies on Front channel logout: https://github.com/fedidcg/protocol-library/issues/10
Additional information
The IdP must contact each application that I have signed into, to tell them that I have signed out.