[UY-671] Machine remember support on endpoint Created: 27/Jan/18  Updated: 10/Jul/18  Resolved: 10/Jul/18

Status: Done
Project: UY
Component/s: None
Affects Version/s: None
Fix Version/s: v2.6.0

Type: Task Priority: Medium
Reporter: Krzysztof Benedyczak Assignee: Piotr Piernik
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Story Points: 15
Epic Link: Basic MFA support

 Description   

Add a new option to authentication realm configuration (next to the already existing enableRememberMeFor):

unityServer.core.endpoints.X.machineRememberPolicy

Allowed values:

  • disallow
  • allowFor2ndFactor (default)
  • allowForWholeAuthn

Change semantics (handling and documentation) of enableRememberMeFor so that it is used only when policy is != disallow, has a default value (e.g. 14days) and requires value > 0. In other words it stops to enable/disable the remember me feature, merely controls duration.

 

The existing remember me feature implementation should be dropped in favour of the implementation described below. This means that remember me feature must not interfere with login session time.

 

UI support:

  • disallow: then do nothing
  • allowForWholeAuthn: then appropriate checkbox should be displayed on the initial login screen.
  • allowForWholeAuthn: then same checkbox should be displayed only on the 2nd factor authn screen.

If rememberMe checkbox was checked (on any screen) then Unity should, after successful  authentication, set an additional rememberMe cookie lasting for rememberMeFor time and additionally store a corresponding rememberMe object in tokens store.

Cookie must contain two values: a crypto strong random token (called rememberMeToken) and random seriesToken. In DB we store a corresponding entry in DB, under the key (i.e. token value in Unity token store API sense) of the seriesToken from the cookie:

  • user's entity
  • login machine details: IP, OS, browser,
  • login time
  • credential(s) that were used when authenticating (not needed now, we may need this for step up authN in future).
  • a SHA hash of the "rememberMeToken"
  • a value of machineRememberPolicy that is set when creating the token

DB object should also be limited to the remember me time.

Verification of remember me cookie:

  1. obtain corresponding entry from DB by the seriesToken from cookie. If missing ignore the cookie, remember me feature is not active.
  2. hash the rememberMeTokenFrom cookie and compare against the hash from DB. If not equal then log error, drop all remember me tokens for the user from DB, remember me feature is not active.
  3. check if machineRememberPolicy is still the same as stored with the token. If not then the stored rememberMe token is ignored.
  4. at this stage remember me feature is active

When remember me feature is active we should log in a user automatically (if allowForWholeAuthn is set) or store this information and skip 2nd factor authN (if any). Login session must contain an information that rememberMe feature caused the authentication.



 Comments   
Comment by Krzysztof Benedyczak [ 19/Jun/18 ]

Piotr Piernik as the link is dead I've updated the spec with more details.

Generated at Tue Sep 17 02:58:12 CEST 2019 using Jira 8.3.3#803004-sha1:4d4040e0714d65b7fffa4801569d014c0b16eaa9.