Page MenuHomePhabricator

OAuth keeps you logged in
Closed, DeclinedPublic

Description

OAuth keeps you logged into connected applications despite purposefully logging out of your main account.

The default behaviour should be changed to logging out of the connected application when you log out.

Ideally this behaviour should be determined by a preference on the permissions dialogue of OAuth

Event Timeline

Tgr subscribed.

Login status is managed by the application, not OAuth; OAuth just provides an API (a fairly expensive one, performance-wise) that can be used to establish the identity of a user who is logged in on the wiki. It's not something that gets checked on every request like some SSO systems.

The closest that could be done would be some kind of session API where you can check whether a given session still exists (and then apps could poll that), or some event emitter for logouts. Both would be complex to do in a secure and performant way, on both server and client side. Currently, applications can implement wiki-based login by dropping in an OAuth library; it would be unrealistic to expect them to implement complex custom polling or event listening behavior for a functionality that's nor particularly useful for most applications anyway.

You can revoke the permissions of an OAuth application, that's somewhat similar to logging out. It prevents the application from accessing your data or performing actions under your name, and if it does an identity check for login, it will see that the permission has been revoked. It still has to explicitly check, though.