Guidance for enabling "remember me" functionality for social providers

I am able to enable ‘remember me’ so that the user is not logged out when they use username/password form and check the ‘remember me’ box. I believe it sets a REMEMBER_ME cookie in the users browser

However, i am not sure how i can do this for social login (e.g. google/facebook) Is there anyway to add the ‘remember me’ checkbox for social logins, and have it behave the same way as for username/password logins?

If it is not natively supported, what parts of the code should i look at to add this functionality?

This is possible, but it is not natively supported in the Keycloak standard distribution. You would have to build a couple of custom Authenticators to store a cookie with the user’s social IdP, and do an IdP redirect when that cookie is encountered during an authentication flow. Look at these two built-in Authenticators to see how those things work:

Please let me know if there’s anything I can do to help!

2 Likes

@xgp @ckent

Regarding your proposed solution for building custom authenticators

To confirm my understanding, I need to create two authenticators with the following flow

  1. First step to check for cookie and bypass External IdP if it is present and valid.
  2. Second Sub flow with the following steps
  • Identity Provider Redirector to authenticate the user with external IdP
  • Set Remember Me Persistent cookie for external IdP

Like below

So I need to create two authenticators one for verifying the cookie and other for setting the cookie?

The solution provided by @xgp is to remember the IDP used by the user and automatically redirect it and does not address how to implement the REMEMBER_ME functionality for Identity providers. After doing a bit of debugging, my understanding is we need to somehow convert the following session cookies to persistent cookies which are created by AuthenticationManager

  • KEYCLOAK_IDENTITY_LEGACY
  • KEYCLOAK_IDENTITY
  • KEYCLOAK_SESSION_LEGACY
  • KEYCLOAK_SESSION

I did not find an easy way for overriding the creation of these cookies using custom authenticator, but what worked for me is running custom authenticator as part of Post login flow in the identity provider as done by username and password authenticator. Code reference here

Details = Java.type("org.keycloak.events.Details");

function authenticate(context) {
    context.getAuthenticationSession().setAuthNote(Details.REMEMBER_ME, "true");
    context.success();
    return;
}

Similar code in Java

import org.keycloak.authentication.AuthenticationFlowContext;
import org.keycloak.authentication.Authenticator;
import org.keycloak.events.Details;

public class IdPRememberMeAuthenticator implements Authenticator {
    @Override
    public void authenticate(AuthenticationFlowContext context) {
        context.getAuthenticationSession().setAuthNote(Details.REMEMBER_ME, "true");
        context.success();
    }
}

But not sure this is the right way of doing this. Can someone comment?

@sirishkumar Could you verify that the KEYCLOAK_IDENTITY and KEYCLOAK_IDENTITY_LEGACY cookie have a set expiration date, rather than a “session” lifetime?

I had a in-depth look through the code you linked and the whole flow.
From what I saw, I think this is the right approach!

What I’m not sure about is what the context.getEvent().detail(Details.REMEMBER_ME, "true"); would do, if added.

@Herdo Yes they have a set expiration date and the values reflect what we have configured for the realm.

Setting context.getEvent().detail(Details.REMEMBER_ME, “true”); it is converting the cookies to persistent.

@sirishkumar Thanks for the confirmation and your earlier guidance towards a solution. Based on your information I was able to write this extension:

Works like a charm :slight_smile: