[Openid-specs-ab] Behaviour of OIDC 'prompt=none' when logged in

Thomas Broyer t.broyer at gmail.com
Tue Jul 19 09:06:42 UTC 2016


On Mon, Jul 18, 2016 at 1:34 PM Hasanthi Purnima Dissanayake <
hasanthi at wso2.com> wrote:

> Hi All,
>
> According to the spec [1] when prompt=none the result should as below.
>
>> The Authorization Server MUST NOT display any authentication or consent
>> user interface pages. An error is returned if an End-User is not already
>> authenticated or the Client does not have per-configured consent for the
>> requested Claims or does not fulfill other conditions for processing the
>> request
>
>
>
> If we consider a scenario like
> 1. User sends authorization request without any prompt value to the IS
> server
> 2. Server gives the login page
> 3. User provides credentials
> 4. Authentication successful and server returns consent page
> 5. User provides consent as 'Approve'
> 6. User send a authorization request with prompt =none
>
> So do we consider this consent which we have set in the same session as a
> pre-configured consent or do we need to return an error with
> consent-required error code?
>

What would you do if 6. was happening without the prompt=none?
If you'd do a transparent redirect back to the redirect_uri (e.g. because
the requested scopes were already granted), then do the same with
prompt=none.
If you'd show a page to the user asking for consent, then return a
consent_required error; and more generally if you'd show any other page to
the user, then return the appropriate error instead.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20160719/0c768dab/attachment.html>


More information about the Openid-specs-ab mailing list