dex icon indicating copy to clipboard operation
dex copied to clipboard
verified publisher icon dexidp

[google connector] prompt=consent on all offline_access scopes

Open TheRealNoob opened this issue 1 year ago • 5 comments

Preflight Checklist

  • [X] I agree to follow the Code of Conduct that this project adheres to.
  • [X] I have searched the issue tracker for an issue that matches the one I want to file, without success.
  • [X] I am not looking for support or already pursued the available support channels without success.

Version

2.39.0

Storage Type

Kubernetes

Installation Type

Official Helm chart

Expected Behavior

Dex should omit the prompt field when using the Google connector. Or allow it to be configurable using config.promptType.

Actual Behavior

If someone opens an authentication flow against Dex with scope=["offline_access"] then dex includes prompt=consent on its request to Google every time (this code). This is adds unnecessary dialogue boxes for the user. Per Google's docs:

You can prompt the user to re-authorize your app by setting the prompt parameter to consent in your authentication request. When prompt=consent is included, the consent screen is displayed every time your app requests authorization of scopes of access, even if all scopes were previously granted to your Google APIs project. For this reason, include prompt=consent only when necessary.

Per these docs (see the table) if you omit the prompt field, then Google will prompt on first consent and not after.

Steps To Reproduce

No response

Additional Information

No response

Configuration

No response

Logs

No response

TheRealNoob avatar Apr 04 '24 22:04 TheRealNoob

Making it configurable is a good improvement.

nabokihms avatar Apr 09 '24 09:04 nabokihms

@nabokihms it seems it's not possible to omit the prompt field via promptType. Perhaps there's another way? Or if it's added to the Google connector, it would only make sense that it would have to added to all?

TheRealNoob avatar Apr 10 '24 23:04 TheRealNoob

Looks like a simple fix to me that involves:

  1. Introduce a new configuration parameter, essentially a boolean toggle
  2. Based on the config, include or skip adding oauth2.SetAuthURLParam("prompt", "consent") in the LoginURL

Skipping prompt=consent in LoginURL is not a problem because Google will automatically ask for consent first time as per documentation.

p.s: Apologies if the suggestion is way off the mark. I just glanced through the Google connector code and not entirely familiar with the larger dex codebase yet.

abhisek avatar Apr 13 '24 09:04 abhisek

I believe the behavior should be the same as that of the generic OIDC connector https://github.com/dexidp/dex/blob/1ca4583920cf2dd7bf42e48302fbd4d3ec87757d/connector/oidc/oidc.go#L244

As for me, the fix also looks straightforward

nabokihms avatar Apr 13 '24 10:04 nabokihms

@nabokihms I raised a PR to allow explicit prompt configuration for the Google connector. I don't think we can skip the value entirely without "misaligning" with the behaviour of consent as default prompt used in generic OIDC connector

abhisek avatar Apr 13 '24 11:04 abhisek

The fix https://github.com/dexidp/dex/pull/3475 was released in v2.40.0. Thank you very much @abhisek for the PR! Much appreciated!

TheRealNoob avatar Jun 05 '24 21:06 TheRealNoob