Hi, i consider adding an oauth2 provider like Azure Entra or Keycloak to my application and read a little bit about it.
But i have a question regarding remember me.
Will the user stay logged in, even if the session has been deleted (silent login as long as the Entra or Keycloak Cookies are alive)? So if the session on Vaadin side is gone, the user will be redirected when he re-visit the page to the identity provider. If the cookie (?) of the identiyprovider is still alive, he gets auto logged in and redericted back to the app?
Is this configurable how long this cookie/session should be alive?
You are right that the user will be able to get a new session to your application as long as their SSO session is still valid. Whether that’s a fully automatic redirect or still requires the user to click a “proceed” button or such depends on the SSO provider.
The SSO session timeout is managed by the SSO provider. In the case of Keycloak, it’s documented here: Server Administration Guide.
I think thats a great solution because i have some other apps as well which then can use Azure/Keycloak.
But i think there will be problems with the password. I think i can not migrate them to the identity provider because i only know the hashes and each app uses other passwords. Then all the passwords needs to be reset by the user or are there some workarounds to migrate existing passwords?
The best approach is probably to create new accounts for all existing users and then require them to do a “password reset” to set a new password the first time they try to log in using the new account.
Looks like you are familar with it; do you know how it works:
User is logged in in my Vaadin App, then he want to go into my webshop which is based on Woo Commerce and uses the same identity provider. Does he need to hit “Login” in the shop or will he be automatically logged in?
I think the first time he visit the shop he needs to hit “login” then he gets logged in silently. With his next visit dont need to hit login again because there are session data in his browser?
I know the specification but I’m not very familiar with specific implementations. The specification gives lots of possibilities on your last question so it’s mostly about the usability considerations from specific implementations.