Open markpundsack opened 11 years ago
We rename is_heroku_app
to use_sessions
(possible use_heroku_sessions
) and make it a public feature that users can opt their clients into, the documentation would read something like:
use_heroku_sessions: Have your OAuth client participate with Heroku's unified login system so that when a user signs into their Dashboard, they can visit your app as well and be logged in automatically, and when that user signs out of any Heroku property by linking to id.heroku.com/logout, they're logged out of your app too.
Thoughts?
Quick reminder: the unified login system requires hosting the app under heroku.com
(vs herokuapp.com
), we may want to document this as well.
Will identity send the same user details to Heroku and non-Heroku apps when the user logs in?
Oh man NO! Just by visiting a URL, I'm immediately logged into a third-party app without any authorization?
Now perhaps you meant that they'd still have the authorization dialog popup on identity the first time, and then after than they'd have single-sign-on and single-sign-off? In which, that could be awesome. But then why not call it single_sign_on? :)
Why not single_sign_on_and_sign_off
? ;)
But seriously, yes definitely option #2. Third party clients are never trusted, and will always need to have the user authorize them via the untrusted dialog in Identity before they're allowed to do anything. After that they get to use single sign on and sign off.
Sounds good then. We should float this around, especially to Tom and make sure there are no hidden reasons not to do this. But nothing jumps to mind at the moment.
Hi friends, I'm here from heroku/core#1410. Mark's original user story seems to cover that issue, but the discussion is about something else (single sign on). I just want to make sure that having persistent sessions - meaning setting the cookies with a far-future expiration - is not overlooked here.
Thanks!
@wuputah We've got you covered. ID will use cookies that last beyond the lifetime of a browser session, and it can use the refresh cycle to revive access tokens that lapse.
:heart: :+1:
As a non-herokai, I should never have to log in to Heroku more than once (per browser).