"Remember me" in oAuth-Spring

**OhadR** · Sep 6th, 2012, 09:39 AM

Hi,

I work with Spring for oAuth M6 (not the RC's since we have no time for upgrades yet).

My question - is the "remember me" implementation working for M6? i've been trying to look here but could not find any good ref (in the form and in the docs) If it is - is there a short guide or something?

thanks!
Ohad

**Dave Syer** · Sep 6th, 2012, 10:29 AM

Are you talking about OAuthRememberMeServices (which hasn't changed since M3 or M4, but has a NoOp implementation that is broken according to JIRA), or about the traditional Spring Security rememberme features (which are orthogonal to OAuth)?

**OhadR** · Sep 6th, 2012, 02:57 PM

Hi Dave,

Actually yeah - I was talking about OAuthRememberMeServices...
The thing is that I want to support the "remember-me" feature within my oAuth-Provider. How do I do it actually? Traditional Spring's AbstractRememberMeServices suppose to be good enough? I guess not, otherwise you would not have written OAuthRememberMeServices. Am I right? What you mean by "orthogonal"?

BTW I do see the NoOp impl, but i do see also HttpSessionOAuthRememberMeServices... what about this impl?

Thanks!

**Dave Syer** · Sep 7th, 2012, 04:03 AM

Originally Posted by OhadR

What you mean by "orthogonal"?

They are different features. The traditional Spring Security rememberme is for authentications that survive across server session restarts (by storing something elsewhere, typically on the client). The OAuth version is for remembering token information during the OAuth authorization.

BTW I do see the NoOp impl, but i do see also HttpSessionOAuthRememberMeServices... what about this impl?

That one whould work where needed. I never had any problems with it anyway (but I'm not a heavy user of OAuth 1.0).

**OhadR** · Sep 7th, 2012, 09:17 AM

Originally Posted by Dave Syer

They are different features. The traditional Spring Security rememberme is for authentications that survive across server session restarts (by storing something elsewhere, typically on the client). The OAuth version is for remembering token information during the OAuth authorization.

Well, sorry for being a Rookie, but why do I need "rememberMe" during the oAuth authorization process? what happens if I do not use it ?
Currently, I use oAuth 2 - and AFAIK I do not use "remember me" - and it seems to work. What is the benefit of RemeberMe for oAuth?

I would like to use "remember me" option in my oAuth2 server, meaning if a user have signed in, the server will "remember him" so next time (in a different session) he will not have to enter credentials again (till the token/cookie expires). In this case can I use the "traditional" Spring "remember me"?

Originally Posted by Dave Syer

That one whould work where needed. I never had any problems with it anyway (but I'm not a heavy user of OAuth 1.0).

Oh, HttpSessionOAuthRememberMeServices is for oAuth 1.0 only? Is there a working implemetation for 2.0?

**Dave Syer** · Sep 9th, 2012, 10:12 AM

Originally Posted by OhadR

In this case can I use the "traditional" Spring "remember me"?

Yes, I think so, if I understand your use case.

Oh, HttpSessionOAuthRememberMeServices is for oAuth 1.0 only? Is there a working implemetation for 2.0?

In OAuth2 we use the standard Spring MVC SessionAttributeStore for storing state needed during the authorization flow. I don't remember you saying you were using OAuth2. If so then the OAuthRememberMeServices are a complete blind alley, sorry.

Thread: "Remember me" in oAuth-Spring

Thread Tools

Display

"Remember me" in oAuth-Spring

Tags for this Thread

Posting Permissions