wrenam icon indicating copy to clipboard operation
wrenam copied to clipboard
verified publisher icon WrenSecurity

Bypassing user consent with 'prompt=none' does not work

Open siepkes opened this issue 6 years ago • 2 comments

When trying to suppress the OAUTH2 user consent page with the prompt=none as an argument with the Authorization Request AM still returns a interaction_required error. prompt=none is part of the OpenID Connect Core 1.0 standard.

This happens even when "Allow clients to skip consent" on the OAuth2 service is true and when the Implied consent option in the agent is also true.

siepkes avatar Mar 18 '19 09:03 siepkes

Hi,

The prompt=none parameter purpose is not to suppress the user consent page. The expected behavior is to return an error from the authorize endpoint when the user is not logged in, instead of displaying the authentication form.

RomainWilbert avatar Aug 06 '19 07:08 RomainWilbert

I guess the issue here is that the user is authenticated against AM, but it is his/hers first login to OIDC enabled application (or there is no consent attribute configured). Ideally with "implied consent" (configuration of OIDC agent / client / app) there is no interaction so this should authenticate user.

pavelhoral avatar Aug 06 '19 07:08 pavelhoral