I've got a very simple DotNetOpenAuth implementation working for my MVC4 site (Google only).
The trouble is, if I (1) log in to my site using Google and then (2) log out of Google, I still remain authenticated on my site.
Is this by design? I'm new to OpenId so I'm a bit confused. Surely users will expect that if they sign out of Google that will end all their associated OpenId sessions?
Is this by design?
Yes.
It would cause havoc for websites if other websites could just go and alter their session states when a user logs out of gmail (in this example). What if you were half way through executing a DB/SQL update script that requires the user_id from your session, and all of a sudden it's not there because the user just logged out of the gmail account? You'd have scripts falling over all over the place. Or what if they have 2 gmail accounts and log out of one account to check their mail in the other account. Bam, their logged out of all other sites. I think not :-)
When a user "logs in" onto a site using a 3rd party credential provider, it is still their responsibility to log out of both sites if they want to.