[UY-671] Machine remember support on endpoint Created: 27/Jan/18 Updated: 10/Jul/18 Resolved: 10/Jul/18
|Reporter:||Krzysztof Benedyczak||Assignee:||Piotr Piernik|
|Remaining Estimate:||Not Specified|
|Time Spent:||Not Specified|
|Original Estimate:||Not Specified|
|Epic Link:||Basic MFA support|
Add a new option to authentication realm configuration (next to the already existing enableRememberMeFor):
Change semantics (handling and documentation) of enableRememberMeFor so that it is used only when policy is != disallow, has a default value (e.g. 14days) and requires value > 0. In other words it stops to enable/disable the remember me feature, merely controls duration.
The existing remember me feature implementation should be dropped in favour of the implementation described below. This means that remember me feature must not interfere with login session time.
If rememberMe checkbox was checked (on any screen) then Unity should, after successful authentication, set an additional rememberMe cookie lasting for rememberMeFor time and additionally store a corresponding rememberMe object in tokens store.
Cookie must contain two values: a crypto strong random token (called rememberMeToken) and random seriesToken. In DB we store a corresponding entry in DB, under the key (i.e. token value in Unity token store API sense) of the seriesToken from the cookie:
DB object should also be limited to the remember me time.
Verification of remember me cookie:
When remember me feature is active we should log in a user automatically (if allowForWholeAuthn is set) or store this information and skip 2nd factor authN (if any). Login session must contain an information that rememberMe feature caused the authentication.
|Comment by Krzysztof Benedyczak [ 19/Jun/18 ]|
Piotr Piernik as the link is dead I've updated the spec with more details.