[Openid-specs-ab] Question about pre-configured consent for the requested Claims

Takahiko Kawasaki daru.tk at gmail.com
Sun Jun 15 17:59:34 UTC 2014


I'm trying to understand the specification of OpenID Connect Core 1.0 and
have a question about "pre-configured consent for the requested Claims"
which is mentioned in "3.1.2.1. Authentication Request / prompt / none".

The description says as follows:

  none
    The Authorization Server MUST NOT display any authentication
    or consent user interface pages. An error is returned if an
    End-User is not already authenticated or the Client does not
    have pre-configured consent for the requested Claims or does
    not fulfill other conditions for processing the request. The
    error code will typically be login_required,
    interaction_required, or another code defined in Section
    3.1.2.6. This can be used as a method to check for existing
    authentication and/or consent.

My question is "how does the Client pre-configure consent?"

Does "pre-configure consent" mean that the End-User grants consent to the
Client in advance before the Client makes a request to the authorization
endpoint? If so, it sounds to me that, to support consent pre-configuration,
the Authorization Server has to provide a page where the End-User can edit
which Claims to be released to which Client without consent when the Client
accesses the authorization endpoint with 'prompt=none'.

Is my understanding correct?

Best Regards,
Takahiko Kawasaki


More information about the Openid-specs-ab mailing list