[Openid-specs-ab] Issue #1062: offline_access prior consent and application_type (openid/connect)
issues-reply at bitbucket.org
Sun Jan 13 16:22:08 UTC 2019
New issue 1062: offline_access prior consent and application_type
Core section 11 https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess
> Upon receipt of a scope parameter containing the `offline_access` value, the Authorization Server:
> - MUST ensure that the prompt parameter contains `consent` unless other conditions for processing the request permitting offline access to the requested resources are in place; unless one or both of these conditions are fulfilled, then it MUST ignore the `offline_access` request,
> - MUST ignore the `offline_access` request unless the Client is using a `response_type` value that would result in an Authorization Code being returned,
> - MUST explicitly receive or have consent for all Clients when the registered `application_type` is `web`
> - SHOULD explicitly receive or have consent for all Clients when the registered `application_type` is `native`.
1. What is the history behind the last two points? Since `prompt` is being requested anyway an explicit consent is being rendered anyway.
1. Isn't the MUST/SHOULD mistakenly switched between the two application types?
More information about the Openid-specs-ab