This uses an internal API that we're evaluating to give people easier single sign out for OAuth clients using cookie sessions. This is only available to GitHub owned OAuth apps, and shouldn't have any adverse effects for everyone else's clients.

Here's how it works:

• During the OAuth callback phase an extra parameter is returned to the handshake, browser_session_id. This is stored on the user object for later use.
• GitHub has an API available /user/sessions/active that accepts OAuth tokens and the browser_session_id. Given these two values GitHub can determine if the initiating browser still has a valid session and returns true or false depending on whether it's still valid on the site.
• Browser sessions can be verified periodically in a before filter to ensure that the user should still have access to the site. By default the check ensures that the user has been verified in the last 2 minutes.

I'm gonna fix up the example app and start rolling this out to a few apps before merging and releasing.