Ask HN: Is logging out of an app with a third party login broken?
For example:
* I have a GitHub and GitLab account
* I log into GitLab with my GitHub account
* This means I'm now logged into both GitHub and GitLab
* If I log out of GitLab and don't log out of GitHub I can automatically log back into GitLab without providing any credentials
* If I sign out of GitHub I'm still logged into GitLab
* To sign out of GitLab I have to sign out of both applications
To me, it seems that for someone non-technical it's not going to be obvious that after you log out of the likes of GitLab that somebody with access to your computer can still access both GitHub and GitLab. This makes using a third party login on a device you don't own or giving somebody access to your own device a lot more risky. This is because now being logged in/out is a bit more ambiguous. The concept of a shared user space seems to be completely incompatible with third party logins.
At first when I was putting the third party login mechanism in place I thought I was doing something wrong because logging out seemed to be so convoluted. It turned out that this is how it "works".
So with all that. I'm assuming this issue has been discussed before? Was it agreed the trade-off in convenience out weighed security?
3 comments
[ 4.0 ms ] story [ 16.0 ms ] thread