Type: Technical Documentation
Affects Version/s: 7.4.X, Master
Fix Version/s: None
Component/s: Application Security > OAuth2
Sprint:AppSec Iteration 56, AppSec Iteration 57, AppSec Iteration 58, AppSec Iteration 59, AppSec Iteration 60, AppSec Iteration 61, AppSec Iteration 62
Type of Documentation:User
This feature is added to be able to remember the manual authorization to an OAuth2 application from a user in a device, it will avoid the manual authorization the following times trying to request a new token from that same device.
It will be useful for different types of customers, they will be able to manage in which cases an authorization by the user in a device would be necessary only once during the time when his/her session in Portal is active. Remember Device should be useful for pure JS Single Page Applications that execute features from an OAuth2 Applications.
A new option is offered when registering or editing an OAuth2 application, at the administration screen, a new checkbox "Remember Device" will be available when the OAuth2 Application it's using Authorization Code or Authorization Code PKCE as authorization type method.
It should be noted that when an application has the "Trusted" option, it can never also be marked as a "Remember Device", because as it is a trusted application manual authorization will not be necessary in any case.
During the process of obtaining the token for the first time in a device using Authorization Code or Authorization Code PKCE the first step is to obtain a Liferay authorization code, so if the application is marked as "Remember Device" a new checkbox will be available in the authorization screen that the user will be able to check to remember his/her decision on the device (see image attachment).
On a technical level this will store a cookie in the device's browser that will be used when retrying to retrieve a token, if the cookie is present, manual authorization will not be prompted again.
Note that this cookie is associated with the Portal Session and with the refresh token, so it should be expected that the value of the refresh token will change (no refresh token recycling available) when using the cookie to avoid manual authorization during the process to obtain a new token.
Remember Device SHOULD NOT be used by mobile applications or applications that can not store the client id confidentially, in a non secure scenario the only thing preventing a successful phishing attack is the authorization screen that should warn the user that an application is trying to use another application credentials.
To mark an OAuth2 Application as Remember Device, OAuth2 Administrator can simply apply this in the OAuth2 Application creation or editing screen, at Menu - OAuth2 Administration.
As an user during the process of obtaining the token for the first time in a device using Authorization Code or Authorization Code PKCE a new checkbox will be available in the authorization screen that the user will be able to check to remember his/her decision on the device; once checked, the next time wants to obtain a token on that device, will not be asked for manual authorization.
To test this feature, we offer an external Liferay OAuth2 Tester at: http://martamedio.com/oauth2-tester/
- OAuth2Application: the table has been modified to add a new boolean indicating whether the application has the remember device option or not.
- oauth2-provider-service - default.xml: A new permission has also been added to set whether trusted applications are allowed to be added by the user.
- LiferayOAuthDataProvider.java: We add at client properties if the application has the remember device option.
- LiferayAccessTokenService: During the process of obtaining the token, we associate the cookie with the refresh token obtained.
- AuthorizationCodeGrantServiceRegistrator.java: different methods of the OAuth2 flow have been overwritten to intercept the cookie and check that it is valid to avoiding manual authorization.