[Openid-specs-ab] Behaviour of OIDC 'prompt=none' when logged in

Hasanthi Purnima Dissanayake hasanthi at wso2.com
Mon Jul 18 11:34:03 UTC 2016

Hi All,

According to the spec [1] when prompt=none the result should as below.

> The Authorization Server MUST NOT display any authentication or consent
> user interface pages. An error is returned if an End-User is not already
> authenticated or the Client does not have per-configured consent for the
> requested Claims or does not fulfill other conditions for processing the
> request

If we consider a scenario like
1. User sends authorization request without any prompt value to the IS
2. Server gives the login page
3. User provides credentials
4. Authentication successful and server returns consent page
5. User provides consent as 'Approve'
6. User send a authorization request with prompt =none

So do we consider this consent which we have set in the same session as a
pre-configured consent or do we need to return an error with
consent-required error code?


Hasanthi Dissanayake

Software Engineer | WSO2

E: hasanthi at wso2.com
M :0718407133| http://wso2.com <http://wso2.com/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20160718/e2af2faa/attachment.html>

More information about the Openid-specs-ab mailing list