[Openid-specs-ab] Issue #1062: offline_access prior consent and application_type (openid/connect)

Filip Skokan issues-reply at bitbucket.org
Sun Jan 13 16:22:08 UTC 2019


New issue 1062: offline_access prior consent and application_type
https://bitbucket.org/openid/connect/issues/1062/offline_access-prior-consent-and

Filip Skokan:

Core section 11 https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess

> Upon receipt of a scope parameter containing the `offline_access` value, the Authorization Server:
> 
> - MUST ensure that the prompt parameter contains `consent` unless other conditions for processing the request permitting offline access to the requested resources are in place; unless one or both of these conditions are fulfilled, then it MUST ignore the `offline_access` request,  
> - MUST ignore the `offline_access` request unless the Client is using a `response_type` value that would result in an Authorization Code being returned,  
> - MUST explicitly receive or have consent for all Clients when the registered `application_type` is `web`  
> - SHOULD explicitly receive or have consent for all Clients when the registered `application_type` is `native`.

1. What is the history behind the last two points? Since `prompt` is being requested anyway an explicit consent is being rendered anyway.
1. Isn't the MUST/SHOULD mistakenly switched between the two application types?




More information about the Openid-specs-ab mailing list