-
Notifications
You must be signed in to change notification settings - Fork 115
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
When prompt=none
is set, reauthorizing with a smaller set of scopes causes an error
#63
Comments
@meagar thanks for the report! I think you're right:
That is what I would expect as well, I can't find anything concrete in the specs except for this section:
I've started to look into this in #65, but the problem is that Doorkeeper also performs an exact match in https://github.com/doorkeeper-gem/doorkeeper/blob/9ae5f9fff7234123216ae56f37c73534a7373654/lib/doorkeeper/models/access_token_mixin.rb#L104. So even though the OIDC code won't raise an error anymore, Doorkeeper will still render the authorization form. I'll open an issue on the Doorkeeper gem! |
If I have previously authorized with a Doorkeeper-OIDC-based IDP using
scope=openid+email+name
, aprompt=none
authorization request with a more narrow set of claims, such asscope=openid+email
will fail. The error will indicate that user consent is required, however I think this is incorrect. The user has already granted consent for theemail
andname
claims; my reauthorization request is only requesting theemail
claim, so I believe the correct behavior is to generate and return a new access token with theopenid
andemail
claims.If this is in fact a bug, the problem seems to be that an exact match between the incoming scopes and previously granted access token's scopes is required by this method:
https://github.com/doorkeeper-gem/doorkeeper-openid_connect/blob/master/lib/doorkeeper/openid_connect/helpers/controller.rb#L79
The text was updated successfully, but these errors were encountered: