Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Assuming a cooperative browser, yes. This would be appropriate for a logout link. Note that because of the way OpenID works, the user will simply be logged back in next time they visit the site, unless they also log out of the IdP as well (see the "single sign-out problem").
If this isn't desired behavior, you can force the user to go through the IdP again:
Assuming a hostile/defective browser or stolen cookie, that alone won't do it, because a browser or other user agent could ignore cookie expiration and retain the cookie. It'll eventually stop working when the signed expiration time passes, but can be used until then. So we'd need to implement something suitable for a "log me out everywhere" scenario.
Some possibilities to deal with this:
This is a problem with
As a developer, the use case for me here is that someone who is logged in and viewing an authenticated page can 'share' the page via Facebook etc., and then anyone who clicks through from Facebook etc. gets the smoothest possible user experience.
Anyway, back to the original question: I was referring to user-initiated logout, not app-initiated logout / premature session expiry. It's a simpler problem, I think. What I'm doing at the moment, and I think you said this approximately correct, is:
For completeness, here's my
I have just added an oidc.logout() function, which will ensure log outs for cooperating browsers by expiring and emptying the cookie.
Also, with the new version you will also get the ID token if your API does not require authentication.