Hmm.. does the spec say anything related to this. If not better we send a mail to OIDC community and check this out. But if the compliance tests are failing lets go ahead with this new behaviour but let's introduce a property to turn back the old behaviour and make the new the default.
On Mon, Jul 18, 2016 at 4:05 PM, Hasanthi Purnima Dissanayake < [email protected]> wrote: > Hi All, > According to the spec [1] when prompt=none the result should as below. > >> The Authorization Server MUST NOT display any authentication or consent >> user interface pages. An error is returned if an End-User is not already >> authenticated or the Client does not have per-configured consent for the >> requested Claims or does not fulfill other conditions for processing the >> request > > > So if we consider a scenario like > 1. User sends authorization request without any prompt value to the IS > server > 2. Server gives the login page > 3. User provides credentials > 4. Authentication successful and server returns consent page > 5. User provides consent as 'Approve' > 6. User send a authorization request with prompt =none > > According to our current implementation it gives an error page with > consent-required error as the server does not have "trusted_always" in the > db table or "skipConsent=true" in file. But when executing the OIDC > compliance test cases in such a scenario it expects this as a successful > authentication as we have set the consent as approve in the same session. > > So if we are doing this we need to skip the consent page if the their is a > session with consent=approve. Do we need to change our implementation > according to this? Any suggestions will be highly appreciated. > > > The output of the test case is as below. > Trace output > > > 0.000497 ------------ AuthorizationRequest ------------ > 0.000903 --> URL: > https://210.90.95.XXX:9443/oauth2/authorize?scope=openid&state=hwcw3vhktnBaM99R&redirect_uri=https%3A%2F%2Fop.certification.openid.net%3A60746%2Fauthz_cb&response_type=code&client_id=4rYClwGnY4CE_XXAkMCoWuI4mnIa > 0.000910 --> BODY: None > 70.472175 <-- > code=de0696cf-7183-3c31-a13c-92695101e589&state=hwcw3vhktnBaM99R&session_state=927dc2d850b486e4a5d76a5f0d0dd3c1829b4e0007e11e58b1a9fbf17a3fff18._ynyYSwWWERr2-QI1X8sDg > 70.472683 AuthorizationResponse: { > "code": "de0696cf-7183-3c31-a13c-92695101e589", > "session_state": > "927dc2d850b486e4a5d76a5f0d0dd3c1829b4e0007e11e58b1a9fbf17a3fff18._ynyYSwWWERr2-QI1X8sDg", > "state": "hwcw3vhktnBaM99R" > } > 70.473121 ------------ AccessTokenRequest ------------ > 70.473556 --> URL: https://210.90.95.XXX:9443/oauth2/token > 70.473561 --> BODY: > code=de0696cf-7183-3c31-a13c-92695101e589&grant_type=authorization_code&redirect_uri=https%3A%2F%2Fop.certification.openid.net%3A60746%2Fauthz_cb > 70.473575 --> HEADERS: {'Content-Type': 'application/x-www-form-urlencoded', > 'Authorization': u'Basic > NHJZQ2x3R25ZNENFX1hYQWtNQ29XdUk0bW5JYTpBdE8wenhmNjJLb1lhc1lUb2JPR1JYVlJaWHNh'} > 74.644260 <-- STATUS: 200 > 74.644479 <-- BODY: > {"access_token":"399d4582-967f-3083-831e-f5c4a6665e4a","refresh_token":"e9f533c3-a867-3758-8edc-2c10b2be0cd3","scope":"openid","id_token":"eyJ4NXQiOiJObUptT0dVeE16WmxZak0yWkRSaE5UWmxZVEExWXpkaFpUUmlPV0UwTldJMk0ySm1PVGMxWkEiLCJraWQiOiIxNTA4MzI3Zjg1M2RlODkzZWVhYTg2YzIwMTUyNjg5NWQxZTk1MTQzIiwiYWxnIjoiUlMyNTYifQ.eyJhdF9oYXNoIjoiQ1dSTWNFSkNDUURWeUtGMVlDWklmZyIsInN1YiI6ImFkbWluIiwiYXVkIjpbIjRyWUNsd0duWTRDRV9YWEFrTUNvV3VJNG1uSWEiXSwiYXpwIjoiNHJZQ2x3R25ZNENFX1hYQWtNQ29XdUk0bW5JYSIsImF1dGhfdGltZSI6MTQ2ODgzNTEwMCwiaXNzIjoiaHR0cHM6XC9cLzIwMy45NC45NS4yMTU6OTQ0M1wvIiwiZXhwIjoxNDY4ODM5OTQ0LCJpYXQiOjE0Njg4MzYzNDR9.M3Er8G4M05JPXmm-YOsOVcimGrzr9GwSmKeqGQBMTP0ZCpJ9NlFN-SR5HJ9xcH8Tc-dh201euilqPLzkfq2annbIS8V7gkS2ttnryjp0eTDIX3p4gKoLo1HfEARb4iB6r6ovDIzqytYMPacZj5t7uxBxSz2Aiu6qjkNOb5uY7Ss","token_type":"Bearer","expires_in":2056} > 76.777209 AccessTokenResponse: { > "access_token": "399d4582-967f-3083-831e-f5c4a6665e4a", > "expires_in": 2056, > "id_token": { > "claims": { > "at_hash": "CWRMcEJCCQDVyKF1YCZIfg", > "aud": [ > "4rYClwGnY4CE_XXAkMCoWuI4mnIa" > ], > "auth_time": 1468835100, > "azp": "4rYClwGnY4CE_XXAkMCoWuI4mnIa", > "exp": 1468839944, > "iat": 1468836344, > "iss": "https://210.90.95.XXX:9443/";, > "sub": "admin" > }, > "jws header parameters": { > "alg": "RS256", > "kid": "1508327f853de893eeaa86c201526895d1e95143", > "x5t": "NmJmOGUxMzZlYjM2ZDRhNTZlYTA1YzdhZTRiOWE0NWI2M2JmOTc1ZA" > } > }, > "refresh_token": "e9f533c3-a867-3758-8edc-2c10b2be0cd3", > "scope": "openid", > "token_type": "Bearer" > } > 76.788640 ------------ AuthorizationRequest ------------ > 76.789114 --> URL: > https://210.90.95.XXX:9443/oauth2/authorize?prompt=none&state=AstNRnS88v73aAjI&redirect_uri=https%3A%2F%2Fop.certification.openid.net%3A60746%2Fauthz_cb&response_type=code&client_id=4rYClwGnY4CE_XXAkMCoWuI4mnIa&scope=openid > 76.789121 --> BODY: None > 108.266371 <-- > code=684a2084-b823-35fc-baed-d73fdb6a9694&state=AstNRnS88v73aAjI&session_state=62a0bd33903999d7245654681f715e9700377e6b5ccaaf84ecb98b40311d8214.9iW0pFCokaZQXs4mZAp1jg > 108.266883 AuthorizationResponse: { > "code": "684a2084-b823-35fc-baed-d73fdb6a9694", > "session_state": > "62a0bd33903999d7245654681f715e9700377e6b5ccaaf84ecb98b40311d8214.9iW0pFCokaZQXs4mZAp1jg", > "state": "AstNRnS88v73aAjI" > } > 108.268413 ------------ AccessTokenRequest ------------ > 108.268842 --> URL: https://210.90.95.XXX:9443/oauth2/token > 108.268848 --> BODY: > code=684a2084-b823-35fc-baed-d73fdb6a9694&grant_type=authorization_code&redirect_uri=https%3A%2F%2Fop.certification.openid.net%3A60746%2Fauthz_cb > 108.268861 --> HEADERS: {'Content-Type': 'application/x-www-form-urlencoded', > 'Authorization': u'Basic > NHJZQ2x3R25ZNENFX1hYQWtNQ29XdUk0bW5JYTpBdE8wenhmNjJLb1lhc1lUb2JPR1JYVlJaWHNh'} > 109.497011 <-- STATUS: 200 > 109.497233 <-- BODY: > {"access_token":"399d4582-967f-3083-831e-f5c4a6665e4a","refresh_token":"e9f533c3-a867-3758-8edc-2c10b2be0cd3","scope":"openid","id_token":"eyJ4NXQiOiJObUptT0dVeE16WmxZak0yWkRSaE5UWmxZVEExWXpkaFpUUmlPV0UwTldJMk0ySm1PVGMxWkEiLCJraWQiOiIxNTA4MzI3Zjg1M2RlODkzZWVhYTg2YzIwMTUyNjg5NWQxZTk1MTQzIiwiYWxnIjoiUlMyNTYifQ.eyJhdF9oYXNoIjoiQ1dSTWNFSkNDUURWeUtGMVlDWklmZyIsInN1YiI6ImFkbWluIiwiYXVkIjpbIjRyWUNsd0duWTRDRV9YWEFrTUNvV3VJNG1uSWEiXSwiYXpwIjoiNHJZQ2x3R25ZNENFX1hYQWtNQ29XdUk0bW5JYSIsImF1dGhfdGltZSI6MTQ2ODgzNTEwMCwiaXNzIjoiaHR0cHM6XC9cLzIwMy45NC45NS4yMTU6OTQ0M1wvIiwiZXhwIjoxNDY4ODM5OTc5LCJpYXQiOjE0Njg4MzYzNzl9.R81RqhJpS_qteUfH_sEQLFYLTbqS5k8GkpM4gaya3rz1yj62OB6ruXOSXFcmTYm11O-5qqJf36FOB1WFfyGNqmfKKy6XIggd6QMCdCh8yhcm8YlDKv_7VUtuFY3O0juLFCN59WEABGcl2sbJTSOGgfcZMHFwFLjKEzAnv8smQEg","token_type":"Bearer","expires_in":2021} > 109.503787 AccessTokenResponse: { > "access_token": "399d4582-967f-3083-831e-f5c4a6665e4a", > "expires_in": 2021, > "id_token": { > "claims": { > "at_hash": "CWRMcEJCCQDVyKF1YCZIfg", > "aud": [ > "4rYClwGnY4CE_XXAkMCoWuI4mnIa" > ], > "auth_time": 1468835100, > "azp": "4rYClwGnY4CE_XXAkMCoWuI4mnIa", > "exp": 1468839979, > "iat": 1468836379, > "iss": "https://210.90.95.XXX:9443/";, > "sub": "admin" > }, > "jws header parameters": { > "alg": "RS256", > "kid": "1508327f853de893eeaa86c201526895d1e95143", > "x5t": "NmJmOGUxMzZlYjM2ZDRhNTZlYTA1YzdhZTRiOWE0NWI2M2JmOTc1ZA" > } > }, > "refresh_token": "e9f533c3-a867-3758-8edc-2c10b2be0cd3", > "scope": "openid", > "token_type": "Bearer" > } > 109.515598 ==== END ==== > > > ------------------------------ > ResultPASSED > > > > Hasanthi Dissanayake > > Software Engineer | WSO2 > > E: [email protected] > M :0718407133| http://wso2.com <http://wso2.com/> > -- Thanks & Regards, *Johann Dilantha Nallathamby* Technical Lead & Product Lead of WSO2 Identity Server Governance Technologies Team WSO2, Inc. lean.enterprise.middleware Mobile - *+94777776950* Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>*
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
