Hopefully this is an appropriate place to post this. I was
answering a question on stack overflow
and thought that this would be a good suggestion for OAuthWebSecurity.
The problem is that if a user logged in using a provider (e.g. google/facebook/twitter/etc) when a user logs out from the app, i.e. WebSecurity.Logout() they remain logged into their provider. The reason that I think that leaving the user logged into the provider
is bad is demonstrated by the following example: -
- User is on a public computer.
- User opens an EmergencyIceCream (fictitious) site.
- On the EmergencyIceCream site, User chooses to log in using a provider (e.g. google/facebook).
- User has ordered their emergency icecream and clicks log out.
- User is taken back to the EmergencyIceCream home page.
- User is happy that they have logged out.
- BadUser comes to the computer and can't believe their luck that when they go to the provider's site (e.g. google/facebook) and they have access to and control over all account information for User as well as any applications that use User's account (including
I think that there should be an option to log out of the social provider as well. I imagine that there are times when the user may want to remain logged into their provider such as when they have the provider's site open in a different tab and want to continue
using it, which is why I think there should be both options.
I am not sure if this is something that could be done under the hood in OAuthWebSecurity or needs to change in the open-id/oauth implementation. I don't think it is a very good option to have code to log out of each provider individually. I don't agree with
some answers that say that this is how oauth works and that we should live with it or use our own authentication and authorization. As a consumer of the OAuthWebSecurity feature to simplify the login process for my app, I now have more work to do and weakened
security for the user. Also, the fact that logging out of the provider solves the issue indicates that there is a way to solve this.