Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-126597 As an End User, I want to make the portal remember my authorization grant for a specific application/client id on a specific device
  3. LPS-127941

[Doc] Documentation of the Story: As an End User, I want to make the portal to remember my authorization grant for a specific application/client id on a specific and for multiple applications/client ids on arbitrary devices

    Details

    • Type: Technical Documentation
    • Status: Closed
    • Priority: Minor
    • Resolution: Completed
    • Affects Version/s: 7.4.X, Master
    • Fix Version/s: None
    • Labels:
      None
    • Sprint:
      AppSec Iteration 56, AppSec Iteration 57, AppSec Iteration 58, AppSec Iteration 59, AppSec Iteration 60, AppSec Iteration 61, AppSec Iteration 62
    • Type of Documentation:
      User

      Description

      Confluence page:

      https://liferay.atlassian.net/wiki/spaces/ENGAPPSECURITY/pages/1477969744/Doc+Documentation+of+the+Story+As+an+End+User+I+want+to+make+the+portal+to+remember+my+authorization+grant+for+a+specific+application+client+id+on+a+specific+and+for+multiple+applications+client+ids+on+arbitrary+devices


      Background
      This feature is added to be able to remember the manual authorization to an OAuth2 application from a user in a device, it will avoid the manual authorization the following times trying to request a new token from that same device.
      It will be useful for different types of customers, they will be able to manage in which cases an authorization by the user in a device would be necessary only once during the time when his/her session in Portal is active. Remember Device should be useful for pure JS Single Page Applications that execute features from an OAuth2 Applications.

      Features
      A new option is offered when registering or editing an OAuth2 application, at the administration screen, a new checkbox "Remember Device" will be available when the OAuth2 Application it's using Authorization Code or Authorization Code PKCE as authorization type method.
      It should be noted that when an application has the "Trusted" option, it can never also be marked as a "Remember Device", because as it is a trusted application manual authorization will not be necessary in any case.

      During the process of obtaining the token for the first time in a device using Authorization Code or Authorization Code PKCE the first step is to obtain a Liferay authorization code, so if the application is marked as "Remember Device" a new checkbox will be available in the authorization screen that the user will be able to check to remember his/her decision on the device (see image attachment).

      On a technical level this will store a cookie in the device's browser that will be used when retrying to retrieve a token, if the cookie is present, manual authorization will not be prompted again.
      Note that this cookie is associated with the Portal Session and with the refresh token, so it should be expected that the value of the refresh token will change (no refresh token recycling available) when using the cookie to avoid manual authorization during the process to obtain a new token.

      Remember Device SHOULD NOT be used by mobile applications or applications that can not store the client id confidentially, in a non secure scenario the only thing preventing a successful phishing attack is the authorization screen that should warn the user that an application is trying to use another application credentials.

      Steps
      To mark an OAuth2 Application as Remember Device, OAuth2 Administrator can simply apply this in the OAuth2 Application creation or editing screen, at Menu - OAuth2 Administration.
      As an user during the process of obtaining the token for the first time in a device using Authorization Code or Authorization Code PKCE a new checkbox will be available in the authorization screen that the user will be able to check to remember his/her decision on the device; once checked, the next time wants to obtain a token on that device, will not be asked for manual authorization.

      To test this feature, we offer an external Liferay OAuth2 Tester at: http://martamedio.com/oauth2-tester/

      Code

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              marta.medio Marta Medio (Inactive)
              Reporter:
              nora.szel Nóra Szél
              Recent user:
              Nóra Szél
              Participants of an Issue:
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Packages

                  Version Package