We’ve done something similar with OAuth2 tokens rather than session tokens for one project.Thought should be given to securing access to the custom endpoint, though.
As a security precaution, I would expect that all of my sessions be invalidated and to be asked to log in again on all sites where I use the Open ID - after all, if someone gets my password and logs in as me before I can change it, changing it is next to pointless.
Like I said, I don't know how Open ID works and if this is even possible but regardless of the Open ID provider I would expect this behaviour, if it was possible. Just to be sure (sorry, not quite woken up yet) will logging out also kill sessions on other sites where I've logged in with my Stack Exchange Open ID (not Stack Exchange sites, that is)?
@ben no, only insofar as it clears HTML 5 local storage in the browser, which would trigger auto-login on a Stack Exchange site if you start from a logged-out state.
When I came into work this morning, I opened up Server Fault and to my surprise, I was in fact still logged in.
Doing a bit of checking, I am also still logged into all other Stack Exchange sites I was pre password change.