shane-tomlinson
commented
8 years ago @rfk - I'm going to move this to an Aha idea and close it out here.
Closed rfk closed 8 years ago
shane-tomlinson
commented
8 years ago @rfk - I'm going to move this to an Aha idea and close it out here.
shane-tomlinson
commented
8 years ago
As noted in https://github.com/mozilla/fxa-content-server/issues/2391#issuecomment-100356118 and linked issues, we don't have a great story around logout and session management right now.
The crux of the issue is, there's no obvious way for the user to log out of FxA. Oh sure, we provide a "sign out" option, but most users never see it since they only pass through FxA on their way to something else.
We work around this by refusing to re-use FxA session tokens from one login to the next, except under very controlled circumstances. The rule we're operating by is: if logging in to ServiceA via FxA leaves you with password-less login to other FxA services, then logging out of ServiceA should revoke it.
The result right now is that only sync can grant you password-less login to other FxA services, and even then under some pretty tenuous circumstances. Since we want more paswordless login, we need to do more logouts.
Perhaps we can lift ideas from the OpenID Connect world on how to enable this? Relevant Draft RFCs:
Both of these suggest that the IdP offer an
end_session_endpointto which reliers can redirect in order to effect a logout. With cooperation from the RP, this might be enough to allow e.g. Hello or Pocket logins to satisfy the rule above.