Support permanent logins

heroku / identity

[DEPRECATED] Login and OAuth management service for Heroku

https://id.heroku.com/

MIT License

247 stars 20 forks source link

Support permanent logins #4

Open markpundsack opened 11 years ago

markpundsack commented 11 years ago

As a non-herokai, I should never have to log in to Heroku more than once (per browser).

brandur commented 11 years ago

Proposal

We rename is_heroku_app to use_sessions (possible use_heroku_sessions) and make it a public feature that users can opt their clients into, the documentation would read something like:

use_heroku_sessions: Have your OAuth client participate with Heroku's unified login system so that when a user signs into their Dashboard, they can visit your app as well and be logged in automatically, and when that user signs out of any Heroku property by linking to id.heroku.com/logout, they're logged out of your app too.

Thoughts?

raul commented 11 years ago

Quick reminder: the unified login system requires hosting the app under heroku.com (vs herokuapp.com), we may want to document this as well.

Will identity send the same user details to Heroku and non-Heroku apps when the user logs in?

markpundsack commented 11 years ago

Oh man NO! Just by visiting a URL, I'm immediately logged into a third-party app without any authorization?

Now perhaps you meant that they'd still have the authorization dialog popup on identity the first time, and then after than they'd have single-sign-on and single-sign-off? In which, that could be awesome. But then why not call it single_sign_on? :)

brandur commented 11 years ago

Why not single_sign_on_and_sign_off? ;)

But seriously, yes definitely option #2. Third party clients are never trusted, and will always need to have the user authorize them via the untrusted dialog in Identity before they're allowed to do anything. After that they get to use single sign on and sign off.

markpundsack commented 11 years ago

Sounds good then. We should float this around, especially to Tom and make sure there are no hidden reasons not to do this. But nothing jumps to mind at the moment.

wuputah commented 11 years ago

Hi friends, I'm here from heroku/core#1410. Mark's original user story seems to cover that issue, but the discussion is about something else (single sign on). I just want to make sure that having persistent sessions - meaning setting the cookies with a far-future expiration - is not overlooked here.

Thanks!

brandur commented 11 years ago

@wuputah We've got you covered. ID will use cookies that last beyond the lifetime of a browser session, and it can use the refresh cycle to revive access tokens that lapse.

wuputah commented 11 years ago

:heart: :+1: