Does FusionAuth support a "Remember Me" functionality?
-
Hi all,
This looks like a fundamental question to me but I couldn't find any previous discussion (which probably means that I don't fully understand the topic yet).
Does FusionAuth support a "Remember Me" functionality? What I would expect is the ability to add a "Remember Me" checkbox to the login dialog (as usual). Clicking it would allow web apps to authenticate without requiring the user to enter their credentials even after closing the browser.
Thank you for your help.
-
Hiya,
Are you looking to use the login API and build your own pages, or the hosted login pages (which you can theme but FusionAuth will host)?
Thanks,
Dan -
I'm primarily interested in the hosted login pages.
However, let me know of any other setup you may have in mind so I can examine the possibility. Thank you.
-
Hiya,
I spent some time thinking about this. It's not built into FusionAuth (nor other oauth identity providers that I could find) and will take some coding on your end.
I'm going to assume you are using a
store
between your client (the browser, a mobile app) and FusionAuth. This allows you to store the access token and the refresh token server side. It's also outlined here: https://fusionauth.io/learn/expert-advice/authentication/webapp/oauth-authorization-code-grant-sessionsIf that is the case, to achieve 'remember me', I'd do the following:
- make sure that fusionauth and the store were in the same domain (
example.com
). - make sure you ask for the
offline_access
scope when presenting the login form. - modify the theme to add a checkbox and some javascript on the login page, which is the
OAuth authorize
page. More about themes. Have the javascript set a cookie (rememberme
) when checked, and make sure the domain is set to something the store can read. - On successful authorization, have the store save off both the
refreshToken
andaccessToken
returned to it in the session. - When the client makes a request to the store, have it check to see if the
rememberme
cookie is set.- If not, then have the store make requests with the
accessToken
until it expires. When it does, force the user to login again. - If it is set, then have the store make requests with the
accessToken
until it expires. When it does, use the storedrefreshToken
to retrieve a new access token.
- If not, then have the store make requests with the
Does that help?
- make sure that fusionauth and the store were in the same domain (
-
Hi, thanks for the info.
I get the idea but it's hard for me to even try to implement at the moment. I haven't done any OpenID related coding yet, plus one of my apps is a Wordpress site and I would need to dab into the OpenID plugin's code. I'm keeping the info though as I may try to go for it down the road.
By the way, it is my understanding that Keycloak has this feature built in. I don't have any hands on experience so I can't be certain on how it works. You may want to have a look at it though in case it's something you wish to integrate in the future.
https://wjw465150.gitbooks.io/keycloak-documentation/content/server_admin/topics/login-settings/remember-me.htmlThanks again for your time.
-
Hiya,
Thanks for the feedback. I filed a feature request and we'll see what the community feedback for this idea is.
Thanks!
-
Is this a different use case than SSO, and if so, what are the limitations of SSO as it is currently implemented that don't fit this use case?
-
You can also view some of the back and forth between @robotdan and I on the issue I filed: https://github.com/FusionAuth/fusionauth-issues/issues/878