How to implement Remember Me option on login page


#1

I have I login page with username & password with Oauth2 login. My boss ask put “remember me” option for the user checkbox for remembering login 30 days.

  • From consent app point. How to tell Oauth2 server should remember user for 30 days (may this value is set in the cookie?). via Hydra SDK?
  • For logout, I use revoke access token? So how to tell Oauth2 server must clean cookie?
  • How about minimum version or Ory Hydra/SDK support this features?

#2

From consent app point. How to tell Oauth2 server should remember user for 30 days (may this value is set in the cookie?). via Hydra SDK?

With the remember and rememberFor keys in the login response

For logout, I use revoke access token? So how to tell Oauth2 server must clean cookie?

There is a new endpoint in beta.5 for this, see: https://www.ory.sh/docs/guides/master/hydra/3-overview/1-oauth2#revoking-consent-and-login-sessions

How about minimum version or Ory Hydra/SDK support this features?

Currently 1.0.0-beta.5


#3

DELETE to/oauth2/auth/sessions/login/{user}

Guide says that it will remove all session cookies from all devices.
Is there a way to remove only the current user’s cookie ?

Using it for a first party client and thinking about how to implement logout.
One way would be to always set remember to false and rely on the existence of access/refresh tokens to authenticate the user and once these are deleted authentication will fail and user will redirect back to hydra/idp and be shown the login screen.

Problem with this approach is that if the user clicks on a sign in link somewhere, they will be presented with the login screen even though they are logged in.

On the other hand, if I will use the remember flag, there’s no way to log out the user on that specific device.

Another way around, if Hydra and idp are on the same domain, idp can create a /logout endpoint that will delete the Hydra session cookie, but that’s not very clean and might break if cookie name changes etc.


#4

Not right now. We would probably need some type of front-end channel to achieve that. Then you would redirect the user to http://hydra/oauth2/login/signout (or something like that) which removes the cookie and then redirects to some whitelisted URL. What do you think?


#5

Yeah sounds like a good option.
If Hydra is creating the session it also makes sense it will be removing the session.

Until then, since I am hosting the idp on the same domain as Hydra, I am going to implement this endpoint on idp and basically delete Hydra’s cookie

Regarding the redirect - Why does it have to be whitelisted ? Can’t we just send the user to whatever ?redirect= value is ? What is the security concern ?


#6

Until then, since I am hosting the idp on the same domain as Hydra, I am going to implement this endpoint on idp and basically delete Hydra’s cookie

Maybe your time would be better spent to submit a PR for this in ORY Hydra, so all the community has a benefit? :slight_smile:

Regarding the redirect - Why does it have to be whitelisted ? Can’t we just send the user to whatever ?redirect= value is ? What is the security concern ?


#7

Will have to learn Go.

I’ll take a look at the code and see how easy it will be for me to implement


#8

That’s the perfect opportunity for you to learn the language of the cloud and the language of future webservices :slight_smile:

The issue is pretty straight forward. Add a config item to the configurator (the whitelisted URLs), add a logout endpoint, and at the log out endpoint delete the cookie, then redirect to the URL :slight_smile:

If you need help, feel free to discuss in a PR!


#9

Tracking here: