What "remember me" is for in pac4j ?

[Albert Gan]

Hello again !

I just want to clear out my curiosity. Please share your thoughts.

As far as i know, "remember me" feature is to help the user avoid typing in login username or email repeatedly. 

Here's what i had tried:

1. formClient.addAuthorizationGenerator(new RememberMeAuthorizationGenerator<CommonProfile>());

2. <input type="hidden" name="rme" value="true" />

3. After login, i can see from the debug that the profile's isRemembered =  True

So after that, the use of "remember me" is only on isFullyAuthenticated vs isRemembered authorizer, correct ? For example, i want to protect a resource that requires a fully authenticated profile, without isRemembered=True.

But when is the use case to use isRemembered ? For example, i want to protect a resource that has a profile with isRemembered=True ? Why would i need that ?

And if i were to help retain username information using "remember me" feature, how would i do that ? After a logout, it redirects to /login. How do i get the username to prefill for the user ?

Warm regards,

Albert Gan

[Jérôme LELEU]

Hi,

In fact, I think the RememberMeAuthorizationGenerator is misleading. It should certainly be removed.

Indeed, a profile may be remembered and checked via the appropriate authorizer, but I don't think the "remember me" nature should be populated via the form.

If you click on the "remember me" checkbox, in fact, you want the profile to be remembered after you log out or close the browser, so you should certainly clone the profile, mark it as "remember me" and save it somehow (JWT in a cookie for example)

and you should add the appropriate authentication mechanism to find this "remember me" profile back (CookieClient with JwtAuthenticator for example).

Thanks.

Best regards,

Jérôme

--
You received this message because you are subscribed to the Google Groups "Pac4j users mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/pac4j-users/38be771b-59d4-4408-9480-867714b508e8n%40googlegroups.com.

[Albert Gan]

Hi, my replies are under each quotes:

>> If you click on the "remember me" checkbox, in fact, you want the profile to be remembered after you log out or close the browser, 

The profile here is as in the username only or the whole profile object serialized ? Does this also mean that after logout, the user can instantly be logged in as if he is having a very long session without having to go through the login form again ? Or does it mean going to the login form with username + password prefilled (and if it were the case, i wonder how to prefill password field since we're not storing plain password, but the encoded version of it ?)

>> so you should certainly clone the profile, mark it as "remember me" and save it somehow (JWT in a cookie for example)

May i ask where i can do this ? I try checking formClient.setXXX --> i couldnt find a successful login callback so that i can save it into the cookie. I am using undertow-pac4j.

Thank you for your pointers !

[Jérôme LELEU]

Hi,

It should be the whole profile, but it's up to you. You may decide that the remembered profile does not have the same roles for example. You may turn the remembered profile into a JWT and save that in a cookie for 2 months for example and if you find a cookie with a valid JWT, you have a valid remembered profile without logging in with a valid username/password.

You can't clone a profile, you need to create a new one and copy the data.

Thanks.

Best regards,

Jérôme

To view this discussion on the web visit https://groups.google.com/d/msgid/pac4j-users/3fdbdc5f-96ac-403b-96d0-4056ec76c402n%40googlegroups.com.