Hi Johann, No the spec directly says 'If does not have *per-configured consent*'. Those days when we were implementing this we interpreted per-configured session as 'approve-always' or file based 'skip-consent=true'.
Anyway I will raise this to OIDC community. Thanks, Hasanthi Dissanayake Software Engineer | WSO2 E: [email protected] M :0718407133| http://wso2.com <http://wso2.com/> On Mon, Jul 18, 2016 at 4:11 PM, Johann Nallathamby <[email protected]> wrote: > Hmm.. does the spec say anything related to this. If not better we send a > mail to OIDC community and check this out. But if the compliance tests are > failing lets go ahead with this new behaviour but let's introduce a > property to turn back the old behaviour and make the new the default. > > On Mon, Jul 18, 2016 at 4:05 PM, Hasanthi Purnima Dissanayake < > [email protected]> wrote: > >> Hi All, >> According to the spec [1] when prompt=none the result should as below. >> >>> The Authorization Server MUST NOT display any authentication or consent >>> user interface pages. An error is returned if an End-User is not already >>> authenticated or the Client does not have per-configured consent for the >>> requested Claims or does not fulfill other conditions for processing the >>> request >> >> >> So if we consider a scenario like >> 1. User sends authorization request without any prompt value to the IS >> server >> 2. Server gives the login page >> 3. User provides credentials >> 4. Authentication successful and server returns consent page >> 5. User provides consent as 'Approve' >> 6. User send a authorization request with prompt =none >> >> According to our current implementation it gives an error page with >> consent-required error as the server does not have "trusted_always" in the >> db table or "skipConsent=true" in file. But when executing the OIDC >> compliance test cases in such a scenario it expects this as a successful >> authentication as we have set the consent as approve in the same session. >> >> So if we are doing this we need to skip the consent page if the their is >> a session with consent=approve. Do we need to change our implementation >> according to this? Any suggestions will be highly appreciated. >> >> >> The output of the test case is as below. >> Trace output >> >> >> 0.000497 ------------ AuthorizationRequest ------------ >> 0.000903 --> URL: >> https://210.90.95.XXX:9443/oauth2/authorize?scope=openid&state=hwcw3vhktnBaM99R&redirect_uri=https%3A%2F%2Fop.certification.openid.net%3A60746%2Fauthz_cb&response_type=code&client_id=4rYClwGnY4CE_XXAkMCoWuI4mnIa >> 0.000910 --> BODY: None >> 70.472175 <-- >> code=de0696cf-7183-3c31-a13c-92695101e589&state=hwcw3vhktnBaM99R&session_state=927dc2d850b486e4a5d76a5f0d0dd3c1829b4e0007e11e58b1a9fbf17a3fff18._ynyYSwWWERr2-QI1X8sDg >> 70.472683 AuthorizationResponse: { >> "code": "de0696cf-7183-3c31-a13c-92695101e589", >> "session_state": >> "927dc2d850b486e4a5d76a5f0d0dd3c1829b4e0007e11e58b1a9fbf17a3fff18._ynyYSwWWERr2-QI1X8sDg", >> "state": "hwcw3vhktnBaM99R" >> } >> 70.473121 ------------ AccessTokenRequest ------------ >> 70.473556 --> URL: https://210.90.95.XXX:9443/oauth2/token >> 70.473561 --> BODY: >> code=de0696cf-7183-3c31-a13c-92695101e589&grant_type=authorization_code&redirect_uri=https%3A%2F%2Fop.certification.openid.net%3A60746%2Fauthz_cb >> 70.473575 --> HEADERS: {'Content-Type': 'application/x-www-form-urlencoded', >> 'Authorization': u'Basic >> NHJZQ2x3R25ZNENFX1hYQWtNQ29XdUk0bW5JYTpBdE8wenhmNjJLb1lhc1lUb2JPR1JYVlJaWHNh'} >> 74.644260 <-- STATUS: 200 >> 74.644479 <-- BODY: >> {"access_token":"399d4582-967f-3083-831e-f5c4a6665e4a","refresh_token":"e9f533c3-a867-3758-8edc-2c10b2be0cd3","scope":"openid","id_token":"eyJ4NXQiOiJObUptT0dVeE16WmxZak0yWkRSaE5UWmxZVEExWXpkaFpUUmlPV0UwTldJMk0ySm1PVGMxWkEiLCJraWQiOiIxNTA4MzI3Zjg1M2RlODkzZWVhYTg2YzIwMTUyNjg5NWQxZTk1MTQzIiwiYWxnIjoiUlMyNTYifQ.eyJhdF9oYXNoIjoiQ1dSTWNFSkNDUURWeUtGMVlDWklmZyIsInN1YiI6ImFkbWluIiwiYXVkIjpbIjRyWUNsd0duWTRDRV9YWEFrTUNvV3VJNG1uSWEiXSwiYXpwIjoiNHJZQ2x3R25ZNENFX1hYQWtNQ29XdUk0bW5JYSIsImF1dGhfdGltZSI6MTQ2ODgzNTEwMCwiaXNzIjoiaHR0cHM6XC9cLzIwMy45NC45NS4yMTU6OTQ0M1wvIiwiZXhwIjoxNDY4ODM5OTQ0LCJpYXQiOjE0Njg4MzYzNDR9.M3Er8G4M05JPXmm-YOsOVcimGrzr9GwSmKeqGQBMTP0ZCpJ9NlFN-SR5HJ9xcH8Tc-dh201euilqPLzkfq2annbIS8V7gkS2ttnryjp0eTDIX3p4gKoLo1HfEARb4iB6r6ovDIzqytYMPacZj5t7uxBxSz2Aiu6qjkNOb5uY7Ss","token_type":"Bearer","expires_in":2056} >> 76.777209 AccessTokenResponse: { >> "access_token": "399d4582-967f-3083-831e-f5c4a6665e4a", >> "expires_in": 2056, >> "id_token": { >> "claims": { >> "at_hash": "CWRMcEJCCQDVyKF1YCZIfg", >> "aud": [ >> "4rYClwGnY4CE_XXAkMCoWuI4mnIa" >> ], >> "auth_time": 1468835100, >> "azp": "4rYClwGnY4CE_XXAkMCoWuI4mnIa", >> "exp": 1468839944, >> "iat": 1468836344, >> "iss": "https://210.90.95.XXX:9443/";, >> "sub": "admin" >> }, >> "jws header parameters": { >> "alg": "RS256", >> "kid": "1508327f853de893eeaa86c201526895d1e95143", >> "x5t": "NmJmOGUxMzZlYjM2ZDRhNTZlYTA1YzdhZTRiOWE0NWI2M2JmOTc1ZA" >> } >> }, >> "refresh_token": "e9f533c3-a867-3758-8edc-2c10b2be0cd3", >> "scope": "openid", >> "token_type": "Bearer" >> } >> 76.788640 ------------ AuthorizationRequest ------------ >> 76.789114 --> URL: >> https://210.90.95.XXX:9443/oauth2/authorize?prompt=none&state=AstNRnS88v73aAjI&redirect_uri=https%3A%2F%2Fop.certification.openid.net%3A60746%2Fauthz_cb&response_type=code&client_id=4rYClwGnY4CE_XXAkMCoWuI4mnIa&scope=openid >> 76.789121 --> BODY: None >> 108.266371 <-- >> code=684a2084-b823-35fc-baed-d73fdb6a9694&state=AstNRnS88v73aAjI&session_state=62a0bd33903999d7245654681f715e9700377e6b5ccaaf84ecb98b40311d8214.9iW0pFCokaZQXs4mZAp1jg >> 108.266883 AuthorizationResponse: { >> "code": "684a2084-b823-35fc-baed-d73fdb6a9694", >> "session_state": >> "62a0bd33903999d7245654681f715e9700377e6b5ccaaf84ecb98b40311d8214.9iW0pFCokaZQXs4mZAp1jg", >> "state": "AstNRnS88v73aAjI" >> } >> 108.268413 ------------ AccessTokenRequest ------------ >> 108.268842 --> URL: https://210.90.95.XXX:9443/oauth2/token >> 108.268848 --> BODY: >> code=684a2084-b823-35fc-baed-d73fdb6a9694&grant_type=authorization_code&redirect_uri=https%3A%2F%2Fop.certification.openid.net%3A60746%2Fauthz_cb >> 108.268861 --> HEADERS: {'Content-Type': >> 'application/x-www-form-urlencoded', 'Authorization': u'Basic >> NHJZQ2x3R25ZNENFX1hYQWtNQ29XdUk0bW5JYTpBdE8wenhmNjJLb1lhc1lUb2JPR1JYVlJaWHNh'} >> 109.497011 <-- STATUS: 200 >> 109.497233 <-- BODY: >> {"access_token":"399d4582-967f-3083-831e-f5c4a6665e4a","refresh_token":"e9f533c3-a867-3758-8edc-2c10b2be0cd3","scope":"openid","id_token":"eyJ4NXQiOiJObUptT0dVeE16WmxZak0yWkRSaE5UWmxZVEExWXpkaFpUUmlPV0UwTldJMk0ySm1PVGMxWkEiLCJraWQiOiIxNTA4MzI3Zjg1M2RlODkzZWVhYTg2YzIwMTUyNjg5NWQxZTk1MTQzIiwiYWxnIjoiUlMyNTYifQ.eyJhdF9oYXNoIjoiQ1dSTWNFSkNDUURWeUtGMVlDWklmZyIsInN1YiI6ImFkbWluIiwiYXVkIjpbIjRyWUNsd0duWTRDRV9YWEFrTUNvV3VJNG1uSWEiXSwiYXpwIjoiNHJZQ2x3R25ZNENFX1hYQWtNQ29XdUk0bW5JYSIsImF1dGhfdGltZSI6MTQ2ODgzNTEwMCwiaXNzIjoiaHR0cHM6XC9cLzIwMy45NC45NS4yMTU6OTQ0M1wvIiwiZXhwIjoxNDY4ODM5OTc5LCJpYXQiOjE0Njg4MzYzNzl9.R81RqhJpS_qteUfH_sEQLFYLTbqS5k8GkpM4gaya3rz1yj62OB6ruXOSXFcmTYm11O-5qqJf36FOB1WFfyGNqmfKKy6XIggd6QMCdCh8yhcm8YlDKv_7VUtuFY3O0juLFCN59WEABGcl2sbJTSOGgfcZMHFwFLjKEzAnv8smQEg","token_type":"Bearer","expires_in":2021} >> 109.503787 AccessTokenResponse: { >> "access_token": "399d4582-967f-3083-831e-f5c4a6665e4a", >> "expires_in": 2021, >> "id_token": { >> "claims": { >> "at_hash": "CWRMcEJCCQDVyKF1YCZIfg", >> "aud": [ >> "4rYClwGnY4CE_XXAkMCoWuI4mnIa" >> ], >> "auth_time": 1468835100, >> "azp": "4rYClwGnY4CE_XXAkMCoWuI4mnIa", >> "exp": 1468839979, >> "iat": 1468836379, >> "iss": "https://210.90.95.XXX:9443/";, >> "sub": "admin" >> }, >> "jws header parameters": { >> "alg": "RS256", >> "kid": "1508327f853de893eeaa86c201526895d1e95143", >> "x5t": "NmJmOGUxMzZlYjM2ZDRhNTZlYTA1YzdhZTRiOWE0NWI2M2JmOTc1ZA" >> } >> }, >> "refresh_token": "e9f533c3-a867-3758-8edc-2c10b2be0cd3", >> "scope": "openid", >> "token_type": "Bearer" >> } >> 109.515598 ==== END ==== >> >> >> ------------------------------ >> ResultPASSED >> >> >> >> Hasanthi Dissanayake >> >> Software Engineer | WSO2 >> >> E: [email protected] >> M :0718407133| http://wso2.com <http://wso2.com/> >> > > > > -- > Thanks & Regards, > > *Johann Dilantha Nallathamby* > Technical Lead & Product Lead of WSO2 Identity Server > Governance Technologies Team > WSO2, Inc. > lean.enterprise.middleware > > Mobile - *+94777776950* > Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>* >
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
