goauthentik
[Question] Implicit consent with offline_access scope ( RefreshToken ) posible ?
Describe your question Is it posible to have implicit consent with offline_access scope, it appears to always opens the consent promt.
Relevant info I am creating the users with the api, so imo it would be wierd step for my users, that they need to give consent on a user account i created for them for my own application. As an alternative i tried to look in the api if it's possible to programmatically set consent for users but couldn't find any endpoints for this in the api only for getting user consent.
Version and Deployment:
- authentik version: 2024.2.2
- Deployment: docker-compose
@BeryJu Migrating from 2023.10.6 -> 2024.2.4 an application integrated that requires a refresh token (we added offline_access to scope) has started to ask consent when doing authentication?
Shouldn't the provider for the application that has Authorization flow set to default-provider-authorization-implicit-consent not ask for consent, or is it a requirement when using offline_access in scope now even if we ask for it to be implicit?
I can't see that it was mentioned anywhere in the release notes that consent will be enforced when asking for offline_scope we wanted to retain the behaviour as-is with implicit consent.
This issue exists. offline_access scope and implicit constent doesn't work together. It is not returning the refresh token. @BeryJu
After checking this in more detail, this issue should be closed as the behaviour is according to the specification.
See https://github.com/goauthentik/authentik/blob/version/2024.6.5/authentik/providers/oauth2/views/authorize.py#L258-L263
The specification clearly states that if offline access is requested consent should be given, if you've set a authorization flow that has implicit consent on your provider Authentik will inject a consent stage (without remembering anything) on each login.
When offline access is requested, a prompt parameter value of consent MUST be used unless other conditions for processing the request permitting offline access to the requested resources are in place.
The OP MUST always obtain consent to returning a Refresh Token that enables offline access to the requested resources.
A previously saved user consent is not always sufficient to grant offline access.
See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess
If you want to only ask consent once or for example every four (4) weeks make sure that you select an explicit authorization flow on your provider.
- Make sure you have the
default-provider-authorization-explicit-consentas authorization flow on your provider - Update Behaviour settings on the
default-provider-authorization-consentstage
You can also create your own authorization flow ofcourse.
- Create a new Consent stage (copy default-provider-authorization-consent) and set for example Consent Once in Behaviour settings
- Create a new Authorization flow and bind the new Consent stage (copy default-provider-authorization-explicit-consent)
- Set the new Authorization flow on the provider
That would prevent it from prompting all the time because Authentik doesn't have to inject a consent prompt without any settings for every login.
This is also an issue for my organisation (an authentik Enterprise licencee).
We are running authentik as a customer-facing identity provider for a number of our own applications. It wouldn't be appropriate to ask the user for consent given that we own and operate both the IdP and the application that uses said IdP.
As an operator of authentik, I need the ability to disable the automatic consent mechanism. I think the OIDC specification allows for this in the following phrase:
unless other conditions for processing the request permitting offline access to the requested resources are in place
IMHO, if I (as the IdP operator) assert that all users have consented to offline_access, then that ought to be sufficient to meet the "other conditions" test.
We have the same pattern here.
The alternative to using a refresh token in our SPA is supposedly silent renew of the access token via an iframe, but modern browsers refuse to send the IdP's session cookie in an iframe (even though it's SameSite: None and secure), so that's no longer viable.
We shouldn't have to ask consent even once for our own app to request our own users' account details. It doesn't make any sense to our users.
Is there any viable workaround or conversations happening about allowing the implicit consent to suffice for offline_access somehow?
We are also experiencing this issue in our organisation. We manage the IDP and customise it with our logos and colours. Asking the user to consent to our managed instance is not a good user experience. Our first intuition was that implicit consent should not ask the user for consent. Is there a possible workaround for this?
Just tried this with the authorization flow set to default-provider-authorization-implicit-consent on an oauth provider, and the offline_access scope selected, I don't get prompted for consent when logging into the app. Could anyone provide steps to reproduce?
Just tried this with the authorization flow set to
default-provider-authorization-implicit-consenton an oauth provider, and theoffline_accessscope selected, I don't get prompted for consent when logging into the app. Could anyone provide steps to reproduce?
I guess, make sure you send the offline_access scope to the authorize endpoint:
/application/o/authorize/?client_id=dso19gS1Vxxxxxxxxxxxxx&scope=openid%20profile%20email%20offline_access&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A7007%2Fapi%2Fauth%2Fauthentik%2Fhandler%2Fframe&state=62655f616363657373&nonce=e9PxkQVEdbr7QfscaJn3Eg%3D%3D&code_challenge=0M3qwyix5EQ88UFEHFdnoAtyiGXCECk7bVddWs3vnes&code_challenge_method=S256
I'm also affected by this. I was thinking it was a bug, as I was using implicit-consent. I can understand @tobias-urdin's point with the OpenID specification, but imo having to explicitly consent even once when I'm both the IdP and Application is unacceptable. I also agree with @oliverfrye's point that this should be the exception as stated for OIDC.
I believe there's no need to consent when the IdP and Application are within the same realm and no information has been shared into another entity, it only confuses users who may believe that they are moving into a 3rd party application.
Can we have an answer on this?
we face the same issue and would like to obtain a refresh token without consent
We are also pretty upset about this.
Btw, here is a comment from the maintainer about the current behavior: https://github.com/goauthentik/authentik/issues/8660#issuecomment-1969060558
@benedikt-bartscher I have faced the same, however I believe the current behaviour is correct according OpenID specs. The workaround is quite simple as @tobias-urdin mentioned above https://github.com/goauthentik/authentik/issues/9312#issuecomment-2382316642
because it's a patch release, including only bug fixes, not new features or behavioral changes. I assume it will be included in the next full release.
