cubicweb-oauth #3957660 Persistent login [resolved]

Once a user logged in with, say, Facebook, it should never have to re-login for a new session until it explicitly logout.

The idea is to set, on the external identity, a "autologin" attribute.

This attribute is set when a user connects via facebook, and unset on /logout.

When visiting with an anonymous session :

  • Insert a provider-specific javascript snipet in the visited page
  • this code does a background checking of the user identity, which should fail if the user is not already connected to the provider, or did not already authorized the application to connect.
  • if an identity is found, it is sent back to CW along with the auth2 token which should be available. This is done with a xhr (so still in the background)
  • if the identity received by CW has the 'autologin' attribute set, authentify the user
  • the JS code now knows if the user is fully authentified, and if so it force a reload of the current page
  • a later option may let the JS only update the necessary parts of the current page without reloading it completely. A callback provided by the page itself would then be given to the oauth javascript code.
done in0.3.0
load left0.000
closed by#4acdc3001ccd Add autologin capabilities.
patchAdd autologin capabilities. [applied]Allow oauth2 session token to be submitted by the webclient. [applied]