Announcement Announcement Module
Collapse
No announcement yet.
"Remember me" in oAuth-Spring Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • "Remember me" in oAuth-Spring

    Hi,

    I work with Spring for oAuth M6 (not the RC's since we have no time for upgrades yet).

    My question - is the "remember me" implementation working for M6? i've been trying to look here but could not find any good ref (in the form and in the docs) If it is - is there a short guide or something?

    thanks!
    Ohad

  • #2
    Are you talking about OAuthRememberMeServices (which hasn't changed since M3 or M4, but has a NoOp implementation that is broken according to JIRA), or about the traditional Spring Security rememberme features (which are orthogonal to OAuth)?

    Comment


    • #3
      Hi Dave,

      Actually yeah - I was talking about OAuthRememberMeServices...
      The thing is that I want to support the "remember-me" feature within my oAuth-Provider. How do I do it actually? Traditional Spring's AbstractRememberMeServices suppose to be good enough? I guess not, otherwise you would not have written OAuthRememberMeServices. Am I right? What you mean by "orthogonal"?

      BTW I do see the NoOp impl, but i do see also HttpSessionOAuthRememberMeServices... what about this impl?

      Thanks!

      Comment


      • #4
        Originally posted by OhadR View Post
        What you mean by "orthogonal"?
        They are different features. The traditional Spring Security rememberme is for authentications that survive across server session restarts (by storing something elsewhere, typically on the client). The OAuth version is for remembering token information during the OAuth authorization.

        BTW I do see the NoOp impl, but i do see also HttpSessionOAuthRememberMeServices... what about this impl?
        That one whould work where needed. I never had any problems with it anyway (but I'm not a heavy user of OAuth 1.0).

        Comment


        • #5
          Originally posted by Dave Syer View Post
          They are different features. The traditional Spring Security rememberme is for authentications that survive across server session restarts (by storing something elsewhere, typically on the client). The OAuth version is for remembering token information during the OAuth authorization.
          Well, sorry for being a Rookie, but why do I need "rememberMe" during the oAuth authorization process? what happens if I do not use it ?
          Currently, I use oAuth 2 - and AFAIK I do not use "remember me" - and it seems to work. What is the benefit of RemeberMe for oAuth?

          I would like to use "remember me" option in my oAuth2 server, meaning if a user have signed in, the server will "remember him" so next time (in a different session) he will not have to enter credentials again (till the token/cookie expires). In this case can I use the "traditional" Spring "remember me"?


          Originally posted by Dave Syer View Post
          That one whould work where needed. I never had any problems with it anyway (but I'm not a heavy user of OAuth 1.0).
          Oh, HttpSessionOAuthRememberMeServices is for oAuth 1.0 only? Is there a working implemetation for 2.0?

          Comment


          • #6
            Originally posted by OhadR View Post
            In this case can I use the "traditional" Spring "remember me"?
            Yes, I think so, if I understand your use case.

            Oh, HttpSessionOAuthRememberMeServices is for oAuth 1.0 only? Is there a working implemetation for 2.0?
            In OAuth2 we use the standard Spring MVC SessionAttributeStore for storing state needed during the authorization flow. I don't remember you saying you were using OAuth2. If so then the OAuthRememberMeServices are a complete blind alley, sorry.

            Comment

            Working...
            X