Handling server-side or out-of-band logouts

[johnwilander]

This issue was ported from https://github.com/WebKit/explainers/issues/42.

Sometimes a user may be logged out of all devices/browsers due to some sort of server-side action. For example, this may happen due to too many failed login attempts, suspicious account activity, or a known password breach sending all users to a mandatory change password flow. How can the browser know about this?

One note: From a website perspective, this is no different than today. Tokens carrying authentication info may be set in an arbitrary number of browsers and apps and then an event in another place invalidates all those tokens. However, the browser may be communicating a logged in state to the user which is actually not true. I believe that is the issue discussed here.

[melanierichards]

In the same vein of this original issue, I heard feedback that sites would like to send a setLoggedOut() signal asynchronously to the user agent. Motivating example was a site which (on the server-side) logs users out based on a time-out.

[melanierichards]

Refer also to #41 requesting a server-side API, might be good to discuss both (setting logged in/out state server-side) together.

[tigt]

Does this issue also apply for the case where a user’s cookies/site-specific-state are removed by the Clear-Site-Data header? Minting a new value for WebAuthn/etc. seems reasonable, and it’s already capable of clearing auth cookies.