[Openid-specs-ab] Behaviour of OIDC 'prompt=none' when logged in

Hasanthi Purnima Dissanayake hasanthi at wso2.com
Tue Jul 19 09:25:09 UTC 2016

Hi Thomas,
Thanks for the response. According to our current implementation if 6 was
happening without prompt=none it shows the page to the user asking for

When we are running OIDC compliance tests for basic profile the test case
'Request with prompt=none when logged in' (OP-Prompt-none-Loggedin) fails
if we provide 'approve' as the consent in step 5 with the error
"consent_required". But if we provide 'approve_always' it passes and after
if we don't use prompt=consent for this application it wont display user
consent page again after authorization.

So AFAIU the behavior of the server with consent should be implementation
specific. So we can use the consent 'approve_always' instead of 'approve'
in this test case. Please correct me if I'm wrong.


Hasanthi Dissanayake

Software Engineer | WSO2

E: hasanthi at wso2.com
M :0718407133| http://wso2.com <http://wso2.com/>

On Tue, Jul 19, 2016 at 2:36 PM, Thomas Broyer <t.broyer at gmail.com> wrote:

> On Mon, Jul 18, 2016 at 1:34 PM Hasanthi Purnima Dissanayake <
> hasanthi at wso2.com> wrote:
>> Hi All,
>> According to the spec [1] when prompt=none the result should as below.
>>> The Authorization Server MUST NOT display any authentication or consent
>>> user interface pages. An error is returned if an End-User is not already
>>> authenticated or the Client does not have per-configured consent for the
>>> requested Claims or does not fulfill other conditions for processing the
>>> request
>> If we consider a scenario like
>> 1. User sends authorization request without any prompt value to the IS
>> server
>> 2. Server gives the login page
>> 3. User provides credentials
>> 4. Authentication successful and server returns consent page
>> 5. User provides consent as 'Approve'
>> 6. User send a authorization request with prompt =none
>> So do we consider this consent which we have set in the same session as a
>> pre-configured consent or do we need to return an error with
>> consent-required error code?
> What would you do if 6. was happening without the prompt=none?
> If you'd do a transparent redirect back to the redirect_uri (e.g. because
> the requested scopes were already granted), then do the same with
> prompt=none.
> If you'd show a page to the user asking for consent, then return a
> consent_required error; and more generally if you'd show any other page
> to the user, then return the appropriate error instead.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20160719/96088687/attachment.html>

More information about the Openid-specs-ab mailing list