SEC-1349: Remember me broken with OpenID #1593

Closed
spring-issuemaster opened this Issue Jan 4, 2010 · 6 comments

1 participant

@spring-issuemaster

Janick Reynders (Migrated from SEC-1349) said:

The remember-me cookie does not get set for a successful openid login because rememberMeRequested(request, parameter) in the loginSuccess method of AbstractRememberMeServices returns false. This is because the _spring_security_remember_me parameter is not available in the redirect that is performed by the openid provider.

@spring-issuemaster

Luke Taylor said:

Generally with OpenID, you have control over the authentication process and you can typically set a remember-me option with the OpenID provider if you don't want to have to explicitly log in. What is the use case that requires local remember-me functionality combined with OpenID?

@spring-issuemaster

Janick Reynders said:

I'm new to OpenID so forgive me if I still have any misconceptions about it.

The behaviour of the app without remember-me is that I, as a user, explicitly have to specify the openid_identifier (the openid url) each time my session is expired. I do not have to log in explicitly (probably because I set the remember-me option with the provider), which is good.

I thought that the local remember-me would enable the app to remember that I logged in with "https://www.google.com/accounts/o8/id" as openid_identifier, so that I do not have to enter it again (and as a result, do not see the login screen) if I visit the website the next day.

@spring-issuemaster

Luke Taylor said:

Sorry, I am talking nonsense :). I am forgetting that OpenID is different from CAS where the SSO server is well known, and someone who is already authenticated to CAS does not need to authenticate. With OpenID you do not necessarily know the provider, hence the user still has to enter their ID, even if they have configured remember-me with the OpenID provider.

The OpenIDAuthenticationFilter currently has no knowledge of remember-me. You could override the buildReturnToUrl() method easily enough, to add in the appropriate parameter to the URL which the provider will redirect to.

@spring-issuemaster

Luke Taylor said:

I guess we could make the returnToUrl include parameters (apart from the identity). This could be configured using a flag.

@spring-issuemaster

Luke Taylor said:

I've added a "returnToUrlParameters" property to the filter which allows you to set the parameters which will be added. If not set, it defaults to the "parameter" property of any injected AbstractRememberMeServices (obtained from the parent class).

Note that remember-me won't work with TokenBasedRememberMeServices as this implementation requires access to the password (which obviously isn't accesible with OpenID authentication).

@spring-issuemaster

Janick Reynders said:

Wow, that was fast!

Until 3.0.1 is out I'll use a custom filter with overridden OpenIDAuthenticationFilter.buildReturnToUrl() method as a workaround. Could you tell me how I have to wire this bean? Which properties do I need to set on the myCustomFilter bean when I want to replace

by

in the element?

Thanks!

@spring-issuemaster spring-issuemaster added this to the 3.0.1 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment