Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 3.0.0.RC2
    • Fix Version/s: 3.0.1
    • Component/s: OpenID
    • Labels:
      None

      Description

      The remember-me cookie does not get set for a successful openid login because rememberMeRequested(request, parameter) in the loginSuccess method of AbstractRememberMeServices returns false. This is because the _spring_security_remember_me parameter is not available in the redirect that is performed by the openid provider.

        Activity

        Hide
        Luke Taylor added a comment -

        Generally with OpenID, you have control over the authentication process and you can typically set a remember-me option with the OpenID provider if you don't want to have to explicitly log in. What is the use case that requires local remember-me functionality combined with OpenID?

        Show
        Luke Taylor added a comment - Generally with OpenID, you have control over the authentication process and you can typically set a remember-me option with the OpenID provider if you don't want to have to explicitly log in. What is the use case that requires local remember-me functionality combined with OpenID?
        Hide
        Janick Reynders added a comment -

        I'm new to OpenID so forgive me if I still have any misconceptions about it.

        The behaviour of the app without remember-me is that I, as a user, explicitly have to specify the openid_identifier (the openid url) each time my session is expired. I do not have to log in explicitly (probably because I set the remember-me option with the provider), which is good.

        I thought that the local remember-me would enable the app to remember that I logged in with "https://www.google.com/accounts/o8/id" as openid_identifier, so that I do not have to enter it again (and as a result, do not see the login screen) if I visit the website the next day.

        Show
        Janick Reynders added a comment - I'm new to OpenID so forgive me if I still have any misconceptions about it. The behaviour of the app without remember-me is that I, as a user, explicitly have to specify the openid_identifier (the openid url) each time my session is expired. I do not have to log in explicitly (probably because I set the remember-me option with the provider), which is good. I thought that the local remember-me would enable the app to remember that I logged in with "https://www.google.com/accounts/o8/id" as openid_identifier, so that I do not have to enter it again (and as a result, do not see the login screen) if I visit the website the next day.
        Hide
        Luke Taylor added a comment -

        Sorry, I am talking nonsense . I am forgetting that OpenID is different from CAS where the SSO server is well known, and someone who is already authenticated to CAS does not need to authenticate. With OpenID you do not necessarily know the provider, hence the user still has to enter their ID, even if they have configured remember-me with the OpenID provider.

        The OpenIDAuthenticationFilter currently has no knowledge of remember-me. You could override the buildReturnToUrl() method easily enough, to add in the appropriate parameter to the URL which the provider will redirect to.

        Show
        Luke Taylor added a comment - Sorry, I am talking nonsense . I am forgetting that OpenID is different from CAS where the SSO server is well known, and someone who is already authenticated to CAS does not need to authenticate. With OpenID you do not necessarily know the provider, hence the user still has to enter their ID, even if they have configured remember-me with the OpenID provider. The OpenIDAuthenticationFilter currently has no knowledge of remember-me. You could override the buildReturnToUrl() method easily enough, to add in the appropriate parameter to the URL which the provider will redirect to.
        Hide
        Luke Taylor added a comment -

        I guess we could make the returnToUrl include parameters (apart from the identity). This could be configured using a flag.

        Show
        Luke Taylor added a comment - I guess we could make the returnToUrl include parameters (apart from the identity). This could be configured using a flag.
        Hide
        Luke Taylor added a comment -

        I've added a "returnToUrlParameters" property to the filter which allows you to set the parameters which will be added. If not set, it defaults to the "parameter" property of any injected AbstractRememberMeServices (obtained from the parent class).

        Note that remember-me won't work with TokenBasedRememberMeServices as this implementation requires access to the password (which obviously isn't accesible with OpenID authentication).

        Show
        Luke Taylor added a comment - I've added a "returnToUrlParameters" property to the filter which allows you to set the parameters which will be added. If not set, it defaults to the "parameter" property of any injected AbstractRememberMeServices (obtained from the parent class). Note that remember-me won't work with TokenBasedRememberMeServices as this implementation requires access to the password (which obviously isn't accesible with OpenID authentication).
        Hide
        Janick Reynders added a comment -

        Wow, that was fast!

        Until 3.0.1 is out I'll use a custom filter with overridden OpenIDAuthenticationFilter.buildReturnToUrl() method as a workaround. Could you tell me how I have to wire this bean? Which properties do I need to set on the myCustomFilter bean when I want to replace

        <openid-login login-processing-url="/openid_login" user-service-ref="customUserDetailsService"/>

        by

        <custom-filter position="OPENID_FILTER" ref="myCustomFilter" />

        in the <http> element?

        Thanks!

        Show
        Janick Reynders added a comment - Wow, that was fast! Until 3.0.1 is out I'll use a custom filter with overridden OpenIDAuthenticationFilter.buildReturnToUrl() method as a workaround. Could you tell me how I have to wire this bean? Which properties do I need to set on the myCustomFilter bean when I want to replace <openid-login login-processing-url="/openid_login" user-service-ref="customUserDetailsService"/> by <custom-filter position="OPENID_FILTER" ref="myCustomFilter" /> in the <http> element? Thanks!

          People

          • Assignee:
            Luke Taylor
            Reporter:
            Janick Reynders
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: