single sign out with Firefox Accounts

Lloyd Hilaiel lhilaiel at
Mon Nov 11 11:28:42 PST 2013

On Nov 9, 2013, at 3:39 AM, Chris Karlof <ckarlof at> wrote:
> But we *are* building a SSO system. I argue we need .onlogout() or something similar to it to notify relying Mozilla services when the user has logged out.

Concrete use cases?

> If there are issues with .onlogout() not working well, we should address those issues, but I think we "want" it.

We want it in persona too, but it can’t be reliably implemented - this was the conclusion we (dan, sean, shane, myself, etc) came to.  It would be useful to challenge this belief with a holistic review of client storage mechanisms and their behavior under default and user configurable privacy properties.  We have so much of this knowledge spread across our teams and in issues, a blog post or article gelling it all together would be really fantastic.  

If such an endeavor were timeboxed and quick, this could contribute meaningfully to others in similar positions.

> An alternative I've heard is "session cookie assassination", where FxA kills the session cookies of relying Mozilla services on logout. IMO, this is more fragile approach and is insufficient.

Where precisely do you perceive fragility?

> I'm not sure how to accomplish this across multiple domains without UA support, and FxA has to work everywhere (i.e., non-Firefox browsers).

Our approach with persona was to implement the maximum set of features we could reliably implement everywhere (goldilocks), and then gracefully upgrade when UA support exists.

There are extensive threads around goldilocks in dev-identity (I actually was *really* reluctant to give up on onlogout, it took some conversation and convincing, and now I’m a convert).


> Thoughts? 
> -chris

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Dev-fxacct mailing list