<div dir="ltr"><div><div><div>Hi Thomas,<br></div>Thanks for the response. According to our current implementation if 6 was happening without prompt=none it shows the page to the user asking for consent. <br><br></div>When we are running OIDC compliance tests for basic profile the test case 'Request with prompt=none when logged in' (OP-Prompt-none-Loggedin) fails if we provide 'approve' as the consent in step 5 with the error "consent_required". But if we provide 'approve_always' it passes and after if we don't use prompt=consent for this application it wont display user consent page again after authorization.<br><br>So AFAIU the behavior of the server with consent should be implementation specific. So we can use the consent 'approve_always' instead of 'approve' in this test case. Please correct me if I'm wrong.<br><br></div>Thanks,<br></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><span style="font-size:10.0pt;font-family:AdiHaus;color:gray" lang="DE"></span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><span style="font-size:10.0pt;font-family:AdiHaus;color:gray" lang="DE"></span><span><span><font color="#888888"><p dir="ltr" style="line-height:1.15;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(102,102,102);font-family:'trebuchet ms',sans-serif">Hasanthi<font color="#888888"> Dissanayake</font></span><br></p><p dir="ltr" style="line-height:1.15;margin-top:0pt;margin-bottom:0pt"><span style="background-color:transparent;vertical-align:baseline"><font face="trebuchet ms, sans-serif" color="#666666">Software Engineer | WSO2</font></span></p><p dir="ltr" style="line-height:1.15;margin-top:0pt;margin-bottom:0pt"><span style="background-color:transparent;vertical-align:baseline"><span style="color:rgb(102,102,102);font-family:'trebuchet ms',sans-serif;line-height:normal">E</span>: <a href="mailto:hasanthi@wso2.com" style="font-family:'trebuchet ms',sans-serif;line-height:normal" target="_blank">hasanthi@wso2.com</a><font face="trebuchet ms, sans-serif" color="#666666"><br></font></span></p><font face="trebuchet ms, sans-serif" color="#666666"><span style="background-color:transparent;vertical-align:baseline">M :0718407133|</span><a href="http://wso2.com/" style="color:rgb(17,85,204);text-decoration:none" target="_blank"><span style="background-color:transparent;vertical-align:baseline"> </span><span style="background-color:transparent;text-decoration:underline;vertical-align:baseline">http://wso2.com</span></a><span style="background-color:transparent;vertical-align:baseline"> <br></span></font></font></span></span></div></div></div></div></div></div></div></div></div>
<br><div class="gmail_quote">On Tue, Jul 19, 2016 at 2:36 PM, Thomas Broyer <span dir="ltr"><<a href="mailto:t.broyer@gmail.com" target="_blank">t.broyer@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><br><br><div class="gmail_quote"><span class=""><div dir="ltr">On Mon, Jul 18, 2016 at 1:34 PM Hasanthi Purnima Dissanayake <<a href="mailto:hasanthi@wso2.com" target="_blank">hasanthi@wso2.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div>Hi All,<br><br>According to the spec [1] when prompt=none the result should as below.<br><blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex" class="gmail_quote">The Authorization Server
MUST NOT display any authentication or consent
user interface pages.
An error is returned
if an End-User
is not already authenticated or the Client does not have per-configured consent for the requested
Claims or does not fulfill other conditions for processing the request</blockquote><div> </div><br>If we consider a scenario like<br><div>1. User sends authorization request without any prompt value to the IS server<br></div><div>2. Server gives the login page<br></div><div>3. User provides credentials <br></div><div>4. Authentication successful and server returns consent page<br></div><div>5. User provides consent as 'Approve'<br></div>6. User send a authorization request with prompt =none<br><br></div>So do we consider this consent which we have set in the same session as a pre-configured consent or do we need to return an error with consent-required error code?</div></div></blockquote><div><br></div></span><div>What would you do if 6. was happening without the prompt=none?</div><div>If you'd do a transparent redirect back to the redirect_uri (e.g. because the requested scopes were already granted), then do the same with prompt=none.</div><div>If you'd show a page to the user asking for consent, then return a consent_required error; and more generally i<span style="line-height:1.5">f you'd show any other page to the user, then return the appropriate error instead.</span></div></div></div>
</blockquote></div><br></div>