Ask HN: Is logging out of an app with a third party login broken?

2 points by aswerty ↗ HN
After developing an app with a third party login mechanism I'm left wondering as to whether the concept of logging out from these applications is broken.

For example:

* I have a GitHub and GitLab account

* I log into GitLab with my GitHub account

* This means I'm now logged into both GitHub and GitLab

* If I log out of GitLab and don't log out of GitHub I can automatically log back into GitLab without providing any credentials

* If I sign out of GitHub I'm still logged into GitLab

* To sign out of GitLab I have to sign out of both applications

To me, it seems that for someone non-technical it's not going to be obvious that after you log out of the likes of GitLab that somebody with access to your computer can still access both GitHub and GitLab. This makes using a third party login on a device you don't own or giving somebody access to your own device a lot more risky. This is because now being logged in/out is a bit more ambiguous. The concept of a shared user space seems to be completely incompatible with third party logins.

At first when I was putting the third party login mechanism in place I thought I was doing something wrong because logging out seemed to be so convoluted. It turned out that this is how it "works".

So with all that. I'm assuming this issue has been discussed before? Was it agreed the trade-off in convenience out weighed security?

3 comments

[ 4.0 ms ] story [ 16.0 ms ] thread
This is the one thing i dont like from single sign on solutions.
Replace Github with Facebook or Google and the question boils down to "Broken for who?" The whole reason that big companies love supporting logins on other sites is that it makes it harder for a user to avoid sending information to that company.
Replace Github with Facebook or Google and the question boils down to "Broken for who?" The whole reason that big companies love supporting logins on other sites is that it makes it harder for a user to avoid sending information to that company.