Hi
I can not subscribe to an OIDC spec list, had some earlier questions not
flowing to the list and given I'm not sure this question is irrelevant
for this group (OIDC IDP is an OAuth2 server), I'm posting it here. If
you'd like me to re-post to the OIDC list then let me know
please...Sorry for a noise, just in case :-)
So, all the flows in OIDC Core have this section:
http://openid.net/specs/openid-connect-core-1_0.html#Consent
http://openid.net/specs/openid-connect-core-1_0.html#ImplicitConsent
http://openid.net/specs/openid-connect-core-1_0.html#HybridConsent
This is pure OAuth2 still.
What I do not understand, if the response_type is 'id_token' and the
requested scope is 'openid' only,
http://openid.net/specs/openid-connect-core-1_0.html#Authentication
then what is a consent screen really about ?
If the response_code is 'id_token' then a user has already given the
implicit authorization after visiting a client application web page and
clicking "Sign In With Google"/etc, and signing in into OIDC IDP. I
thought this is what "openid" alone is all about.
Can someone clarify please if it is reasonable to skip challenging a
user with a consent screen in this case.
Thanks, Sergey
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
