Hi All, I got a response from OIDC community and according them handling consent is implementation specific. So in other words both the behaviors 1. Considering 'approve' in the same session as pre-configured consent 2. Not considering 'approve' in the same session as pre-configured consent can be acceptable.
If we are moving ahead with the current implementation we need to provide 'approve_always' instead of 'approve' in that test case in order to pass it. So I will keep the implementation as it is and wont introduce the new behavior. Thanks, Hasanthi Dissanayake Software Engineer | WSO2 E: hasan...@wso2.com M :0718407133| http://wso2.com <http://wso2.com/> On Mon, Jul 18, 2016 at 4:56 PM, Hasanthi Purnima Dissanayake < hasan...@wso2.com> wrote: > Hi Johann, > > No the spec directly says 'If does not have *per-configured consent*'. > Those days when we were implementing this we interpreted per-configured > session as 'approve-always' or file based 'skip-consent=true'. > > Anyway I will raise this to OIDC community. > > Thanks, > > Hasanthi Dissanayake > > Software Engineer | WSO2 > > E: hasan...@wso2.com > M :0718407133| http://wso2.com <http://wso2.com/> > > On Mon, Jul 18, 2016 at 4:11 PM, Johann Nallathamby <joh...@wso2.com> > wrote: > >> Hmm.. does the spec say anything related to this. If not better we send a >> mail to OIDC community and check this out. But if the compliance tests are >> failing lets go ahead with this new behaviour but let's introduce a >> property to turn back the old behaviour and make the new the default. >> >> On Mon, Jul 18, 2016 at 4:05 PM, Hasanthi Purnima Dissanayake < >> hasan...@wso2.com> wrote: >> >>> Hi All, >>> According to the spec [1] when prompt=none the result should as below. >>> >>>> The Authorization Server MUST NOT display any authentication or consent >>>> user interface pages. An error is returned if an End-User is not already >>>> authenticated or the Client does not have per-configured consent for the >>>> requested Claims or does not fulfill other conditions for processing the >>>> request >>> >>> >>> So if we consider a scenario like >>> 1. User sends authorization request without any prompt value to the IS >>> server >>> 2. Server gives the login page >>> 3. User provides credentials >>> 4. Authentication successful and server returns consent page >>> 5. User provides consent as 'Approve' >>> 6. User send a authorization request with prompt =none >>> >>> According to our current implementation it gives an error page with >>> consent-required error as the server does not have "trusted_always" in the >>> db table or "skipConsent=true" in file. But when executing the OIDC >>> compliance test cases in such a scenario it expects this as a successful >>> authentication as we have set the consent as approve in the same session. >>> >>> So if we are doing this we need to skip the consent page if the their is >>> a session with consent=approve. Do we need to change our implementation >>> according to this? Any suggestions will be highly appreciated. >>> >>> >>> The output of the test case is as below. >>> Trace output >>> >>> >>> 0.000497 ------------ AuthorizationRequest ------------ >>> 0.000903 --> URL: >>> https://210.90.95.XXX:9443/oauth2/authorize?scope=openid&state=hwcw3vhktnBaM99R&redirect_uri=https%3A%2F%2Fop.certification.openid.net%3A60746%2Fauthz_cb&response_type=code&client_id=4rYClwGnY4CE_XXAkMCoWuI4mnIa >>> 0.000910 --> BODY: None >>> 70.472175 <-- >>> code=de0696cf-7183-3c31-a13c-92695101e589&state=hwcw3vhktnBaM99R&session_state=927dc2d850b486e4a5d76a5f0d0dd3c1829b4e0007e11e58b1a9fbf17a3fff18._ynyYSwWWERr2-QI1X8sDg >>> 70.472683 AuthorizationResponse: { >>> "code": "de0696cf-7183-3c31-a13c-92695101e589", >>> "session_state": >>> "927dc2d850b486e4a5d76a5f0d0dd3c1829b4e0007e11e58b1a9fbf17a3fff18._ynyYSwWWERr2-QI1X8sDg", >>> "state": "hwcw3vhktnBaM99R" >>> } >>> 70.473121 ------------ AccessTokenRequest ------------ >>> 70.473556 --> URL: https://210.90.95.XXX:9443/oauth2/token >>> 70.473561 --> BODY: >>> code=de0696cf-7183-3c31-a13c-92695101e589&grant_type=authorization_code&redirect_uri=https%3A%2F%2Fop.certification.openid.net%3A60746%2Fauthz_cb >>> 70.473575 --> HEADERS: {'Content-Type': >>> 'application/x-www-form-urlencoded', 'Authorization': u'Basic >>> NHJZQ2x3R25ZNENFX1hYQWtNQ29XdUk0bW5JYTpBdE8wenhmNjJLb1lhc1lUb2JPR1JYVlJaWHNh'} >>> 74.644260 <-- STATUS: 200 >>> 74.644479 <-- BODY: >>> {"access_token":"399d4582-967f-3083-831e-f5c4a6665e4a","refresh_token":"e9f533c3-a867-3758-8edc-2c10b2be0cd3","scope":"openid","id_token":"eyJ4NXQiOiJObUptT0dVeE16WmxZak0yWkRSaE5UWmxZVEExWXpkaFpUUmlPV0UwTldJMk0ySm1PVGMxWkEiLCJraWQiOiIxNTA4MzI3Zjg1M2RlODkzZWVhYTg2YzIwMTUyNjg5NWQxZTk1MTQzIiwiYWxnIjoiUlMyNTYifQ.eyJhdF9oYXNoIjoiQ1dSTWNFSkNDUURWeUtGMVlDWklmZyIsInN1YiI6ImFkbWluIiwiYXVkIjpbIjRyWUNsd0duWTRDRV9YWEFrTUNvV3VJNG1uSWEiXSwiYXpwIjoiNHJZQ2x3R25ZNENFX1hYQWtNQ29XdUk0bW5JYSIsImF1dGhfdGltZSI6MTQ2ODgzNTEwMCwiaXNzIjoiaHR0cHM6XC9cLzIwMy45NC45NS4yMTU6OTQ0M1wvIiwiZXhwIjoxNDY4ODM5OTQ0LCJpYXQiOjE0Njg4MzYzNDR9.M3Er8G4M05JPXmm-YOsOVcimGrzr9GwSmKeqGQBMTP0ZCpJ9NlFN-SR5HJ9xcH8Tc-dh201euilqPLzkfq2annbIS8V7gkS2ttnryjp0eTDIX3p4gKoLo1HfEARb4iB6r6ovDIzqytYMPacZj5t7uxBxSz2Aiu6qjkNOb5uY7Ss","token_type":"Bearer","expires_in":2056} >>> 76.777209 AccessTokenResponse: { >>> "access_token": "399d4582-967f-3083-831e-f5c4a6665e4a", >>> "expires_in": 2056, >>> "id_token": { >>> "claims": { >>> "at_hash": "CWRMcEJCCQDVyKF1YCZIfg", >>> "aud": [ >>> "4rYClwGnY4CE_XXAkMCoWuI4mnIa" >>> ], >>> "auth_time": 1468835100, >>> "azp": "4rYClwGnY4CE_XXAkMCoWuI4mnIa", >>> "exp": 1468839944, >>> "iat": 1468836344, >>> "iss": "https://210.90.95.XXX:9443/";, >>> "sub": "admin" >>> }, >>> "jws header parameters": { >>> "alg": "RS256", >>> "kid": "1508327f853de893eeaa86c201526895d1e95143", >>> "x5t": "NmJmOGUxMzZlYjM2ZDRhNTZlYTA1YzdhZTRiOWE0NWI2M2JmOTc1ZA" >>> } >>> }, >>> "refresh_token": "e9f533c3-a867-3758-8edc-2c10b2be0cd3", >>> "scope": "openid", >>> "token_type": "Bearer" >>> } >>> 76.788640 ------------ AuthorizationRequest ------------ >>> 76.789114 --> URL: >>> https://210.90.95.XXX:9443/oauth2/authorize?prompt=none&state=AstNRnS88v73aAjI&redirect_uri=https%3A%2F%2Fop.certification.openid.net%3A60746%2Fauthz_cb&response_type=code&client_id=4rYClwGnY4CE_XXAkMCoWuI4mnIa&scope=openid >>> 76.789121 --> BODY: None >>> 108.266371 <-- >>> code=684a2084-b823-35fc-baed-d73fdb6a9694&state=AstNRnS88v73aAjI&session_state=62a0bd33903999d7245654681f715e9700377e6b5ccaaf84ecb98b40311d8214.9iW0pFCokaZQXs4mZAp1jg >>> 108.266883 AuthorizationResponse: { >>> "code": "684a2084-b823-35fc-baed-d73fdb6a9694", >>> "session_state": >>> "62a0bd33903999d7245654681f715e9700377e6b5ccaaf84ecb98b40311d8214.9iW0pFCokaZQXs4mZAp1jg", >>> "state": "AstNRnS88v73aAjI" >>> } >>> 108.268413 ------------ AccessTokenRequest ------------ >>> 108.268842 --> URL: https://210.90.95.XXX:9443/oauth2/token >>> 108.268848 --> BODY: >>> code=684a2084-b823-35fc-baed-d73fdb6a9694&grant_type=authorization_code&redirect_uri=https%3A%2F%2Fop.certification.openid.net%3A60746%2Fauthz_cb >>> 108.268861 --> HEADERS: {'Content-Type': >>> 'application/x-www-form-urlencoded', 'Authorization': u'Basic >>> NHJZQ2x3R25ZNENFX1hYQWtNQ29XdUk0bW5JYTpBdE8wenhmNjJLb1lhc1lUb2JPR1JYVlJaWHNh'} >>> 109.497011 <-- STATUS: 200 >>> 109.497233 <-- BODY: >>> {"access_token":"399d4582-967f-3083-831e-f5c4a6665e4a","refresh_token":"e9f533c3-a867-3758-8edc-2c10b2be0cd3","scope":"openid","id_token":"eyJ4NXQiOiJObUptT0dVeE16WmxZak0yWkRSaE5UWmxZVEExWXpkaFpUUmlPV0UwTldJMk0ySm1PVGMxWkEiLCJraWQiOiIxNTA4MzI3Zjg1M2RlODkzZWVhYTg2YzIwMTUyNjg5NWQxZTk1MTQzIiwiYWxnIjoiUlMyNTYifQ.eyJhdF9oYXNoIjoiQ1dSTWNFSkNDUURWeUtGMVlDWklmZyIsInN1YiI6ImFkbWluIiwiYXVkIjpbIjRyWUNsd0duWTRDRV9YWEFrTUNvV3VJNG1uSWEiXSwiYXpwIjoiNHJZQ2x3R25ZNENFX1hYQWtNQ29XdUk0bW5JYSIsImF1dGhfdGltZSI6MTQ2ODgzNTEwMCwiaXNzIjoiaHR0cHM6XC9cLzIwMy45NC45NS4yMTU6OTQ0M1wvIiwiZXhwIjoxNDY4ODM5OTc5LCJpYXQiOjE0Njg4MzYzNzl9.R81RqhJpS_qteUfH_sEQLFYLTbqS5k8GkpM4gaya3rz1yj62OB6ruXOSXFcmTYm11O-5qqJf36FOB1WFfyGNqmfKKy6XIggd6QMCdCh8yhcm8YlDKv_7VUtuFY3O0juLFCN59WEABGcl2sbJTSOGgfcZMHFwFLjKEzAnv8smQEg","token_type":"Bearer","expires_in":2021} >>> 109.503787 AccessTokenResponse: { >>> "access_token": "399d4582-967f-3083-831e-f5c4a6665e4a", >>> "expires_in": 2021, >>> "id_token": { >>> "claims": { >>> "at_hash": "CWRMcEJCCQDVyKF1YCZIfg", >>> "aud": [ >>> "4rYClwGnY4CE_XXAkMCoWuI4mnIa" >>> ], >>> "auth_time": 1468835100, >>> "azp": "4rYClwGnY4CE_XXAkMCoWuI4mnIa", >>> "exp": 1468839979, >>> "iat": 1468836379, >>> "iss": "https://210.90.95.XXX:9443/";, >>> "sub": "admin" >>> }, >>> "jws header parameters": { >>> "alg": "RS256", >>> "kid": "1508327f853de893eeaa86c201526895d1e95143", >>> "x5t": "NmJmOGUxMzZlYjM2ZDRhNTZlYTA1YzdhZTRiOWE0NWI2M2JmOTc1ZA" >>> } >>> }, >>> "refresh_token": "e9f533c3-a867-3758-8edc-2c10b2be0cd3", >>> "scope": "openid", >>> "token_type": "Bearer" >>> } >>> 109.515598 ==== END ==== >>> >>> >>> ------------------------------ >>> ResultPASSED >>> >>> >>> >>> Hasanthi Dissanayake >>> >>> Software Engineer | WSO2 >>> >>> E: hasan...@wso2.com >>> M :0718407133| http://wso2.com <http://wso2.com/> >>> >> >> >> >> -- >> Thanks & Regards, >> >> *Johann Dilantha Nallathamby* >> Technical Lead & Product Lead of WSO2 Identity Server >> Governance Technologies Team >> WSO2, Inc. >> lean.enterprise.middleware >> >> Mobile - *+94777776950* >> Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>* >> > >
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
