<div dir="ltr"><br><br><div class="gmail_quote"><div dir="ltr">On Mon, Jul 18, 2016 at 1:34 PM Hasanthi Purnima Dissanayake <<a href="mailto:hasanthi@wso2.com">hasanthi@wso2.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div>Hi All,<br><br>According to the spec [1] when prompt=none the result should as below.<br><blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex" class="gmail_quote">The Authorization Server
MUST NOT display any authentication or consent
user interface pages.
An error is returned
if an End-User
is not already authenticated or the Client does not have per-configured consent for the requested
Claims or does not fulfill other conditions for processing the request</blockquote><div> </div><br>If we consider a scenario like<br><div>1. User sends authorization request without any prompt value to the IS server<br></div><div>2. Server gives the login page<br></div><div>3. User provides credentials <br></div><div>4. Authentication successful and server returns consent page<br></div><div>5. User provides consent as 'Approve'<br></div>6. User send a authorization request with prompt =none<br><br></div>So do we consider this consent which we have set in the same session as a pre-configured consent or do we need to return an error with consent-required error code?</div></div></blockquote><div><br></div><div>What would you do if 6. was happening without the prompt=none?</div><div>If you'd do a transparent redirect back to the redirect_uri (e.g. because the requested scopes were already granted), then do the same with prompt=none.</div><div>If you'd show a page to the user asking for consent, then return a consent_required error; and more generally i<span style="line-height:1.5">f you'd show any other page to the user, then return the appropriate error instead.</span></div></div></div>