[Openid-specs-ab] Question about pre-configured consent for the requested Claims
Takahiko Kawasaki
daru.tk at gmail.com
Sun Jun 15 17:59:34 UTC 2014
I'm trying to understand the specification of OpenID Connect Core 1.0 and
have a question about "pre-configured consent for the requested Claims"
which is mentioned in "3.1.2.1. Authentication Request / prompt / none".
The description says as follows:
none
The Authorization Server MUST NOT display any authentication
or consent user interface pages. An error is returned if an
End-User is not already authenticated or the Client does not
have pre-configured consent for the requested Claims or does
not fulfill other conditions for processing the request. The
error code will typically be login_required,
interaction_required, or another code defined in Section
3.1.2.6. This can be used as a method to check for existing
authentication and/or consent.
My question is "how does the Client pre-configure consent?"
Does "pre-configure consent" mean that the End-User grants consent to the
Client in advance before the Client makes a request to the authorization
endpoint? If so, it sounds to me that, to support consent pre-configuration,
the Authorization Server has to provide a page where the End-User can edit
which Claims to be released to which Client without consent when the Client
accesses the authorization endpoint with 'prompt=none'.
Is my understanding correct?
Best Regards,
Takahiko Kawasaki
More information about the Openid-specs-ab
mailing list