Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

oauth2: Remember authentication and application authorization #697

Closed
8 tasks
aeneasr opened this issue Dec 10, 2017 · 3 comments
Closed
8 tasks

oauth2: Remember authentication and application authorization #697

aeneasr opened this issue Dec 10, 2017 · 3 comments
Labels
feat New feature or request.
Milestone
1.0.0-alpha.1

Comments

@aeneasr
Copy link
Member

aeneasr commented Dec 10, 2017
edited
Loading

The goal of this issue is to make implementing an OIDC conformant consent app easier.

  • Hydra should remember user authentication based on cookies
  • Hydra should remember previously authorized applications and their scopes. If a subset is used, the consent screen can be skipped.
  • Hydra should listen to maxAge, prompt=login, prompt=none and prompt=consent and acr accordingly. acr should be the same as prompt=login
  • Hydra should inform the consent app what steps have to be taken:
    • mustAuthenticateUser indicates that the user must be logged out (if signed in already) and logged back in again. This should happen when prompt=login or when no user session exists
    • mustAuthorizeConsent indicates that the user must give his/her consent. This should happen when prompt=consent, when an unknown application requests authorization, or when new scopes are requested
    • requestedAuthenticationContext (Authentication Context Class Reference) indicates that some level of assurance was required. Setting this to anything other than empty or 0 has the same effect as prompt=login
  • When user session is revoked, require re-authentication and re-authorization

For starters, subject ID and authorized clients (+ scopes) could be stored in the encrypted session cookie, or alternatively in the consent manager.
@aeneasr aeneasr added the feat New feature or request. label Dec 10, 2017
@aeneasr aeneasr added this to the 1.0.0-alpha1 milestone Dec 10, 2017
@aeneasr
Copy link
Member Author

aeneasr commented Dec 11, 2017
edited
Loading

OIDC compliant:

image

graph TD
H{Hydra} -->|Redirects to consent app with consent request ID| C{Consent App}
C -->CRP(Check if consent url query `?consent=$consent-id` is set)
CRP-->|no|Err(Notify user with error message)
CRP-->|yes|CG(Fetch consent request payload from `GET /oauth2/consent/request/$consent-id`)
CG-->CGL(Check `mustAuthenticateUser`)
CGL-->|true| FORCELOGIN(Force login, show login ui,  acr)
CGL-->|false| LOGINCHECK(Is the user signed in?)
LOGINCHECK-->|true| CONSENTCHECK(Check `mustConsent`)
LOGINCHECK-->|false| LOGIN(Show login ui)
LOGIN-->|successful| CONSENTCHECK
LOGIN-->|unsuccessful| LOGIN
FORCELOGIN-->|successful| CONSENTCHECK
FORCELOGIN-->|unsuccessful| FORCELOGIN
CONSENTCHECK-->|true| CONSENT(Ask user to authorize application and scopes)
CONSENTCHECK-->|false| ACCEPT
CONSENT-->|User authorized application| ACCEPT(`PUT /oauth2/consent/request/$consent-id/accept`)
CONSENT-->|User aborted authorization| REJECT(`PUT /oauth2/consent/request/$consent-id/reject`)
ACCEPT-->END(Redirect user to redirectUrl from consent request payload)
REJECT-->END

Simple (not OIDC compliant):

image

graph TD
H{Hydra} -->|Redirects to consent app with consent request ID| C{Consent App}
C -->CRP(Check if consent url query `?consent=$consent-id` is set)
CRP-->|no|Err(Notify user with error message)
CRP-->LOGIN(Force user login in, show login ui)
LOGIN-->|successful| FETCH(Fetch consent request payload from `GET /oauth2/consent/request/$consent-id`)
LOGIN-->|unsuccessful| LOGIN
FETCH-->CONSENT(Ask user to authorize application and scopes)
CONSENT-->|User authorized application| ACCEPT(`PUT /oauth2/consent/request/$consent-id/accept`)
CONSENT-->|User aborted authorization| REJECT(`PUT /oauth2/consent/request/$consent-id/reject`)
ACCEPT-->END(Redirect user to redirectUrl from consent request payload)
REJECT-->END

@aeneasr aeneasr modified the milestones: 1.0.0-alpha1, 0.11.0 Dec 14, 2017
@aeneasr
Copy link
Member Author

aeneasr commented Dec 14, 2017
edited
Loading

Consent flow in hydra

image

graph TD
UA{User Agent}-->|Initiates OpenID Connect Flow| H{Hydra}
H --> SESSC(Check if cookie session exists)

SESSC-->|yes| REQC(Check request for prompt/maxAge)
SESSC-->|no| CONSENTF

REQC -->|promp and maxage not set| CLIENTC1(Check if client was previously authorized using specified scopes)
REQC -->|prompt=login| CONSENTF(Redirect to consent app with mustAuthenticate=true and mustConsent=true)
REQC -->|prompt=consent| CONSENTCF(Redirect to consent app with mustConsent=true)
REQC -->|prompt=none| CLIENTC2(Check if client was previously authorized using specified scopes)
REQC -->|maxAge reached| CONSENTF(Redirect to consent app with mustAuthenticate=true and mustConsent=true)
REQC -->|maxAge not reached| CLIENTC1

CONSENTF --> CONSENTCB(Check if consent was accepted)
CONSENTCF --> CONSENTCB

CLIENTC1 --> |yes| GRANT
CLIENTC1 --> |no| CONSENTCF

CONSENTCB --> |accepted| GRANT
CONSENTCB --> |denied| DENY(Deny request)

CLIENTC2 --> |yes| GRANT(Grant request)
CLIENTC2 --> |no| ERROR(Show error)

aeneasr pushed a commit that referenced this issue Dec 16, 2017
oauth2: Adds ability to detect previous consent
3da8bc3 
This commit aims at improving OpenID Connect conformity whilst making it
as easy as possible to implement the consent app.

For that reason, ORY Hydra is now capable of remembering user sessions
and previous consent requests, and properly handles OpenID Connect's
maxAge and prompt parameters.

Additionally, public OAuth 2.0 clients always require the full consent
flow.

Closes #692
Closes #697
@aeneasr aeneasr mentioned this issue Dec 16, 2017
Closed
5 tasks
@aeneasr aeneasr modified the milestones: 0.12.0, 1.0.0-alpha1 Jan 15, 2018
@aeneasr aeneasr mentioned this issue Feb 8, 2018
Closed
6 tasks
@aeneasr
Copy link
Member Author

aeneasr commented May 20, 2018

This is resolved on master

@aeneasr aeneasr closed this as completed May 20, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feat New feature or request.
Projects
None yet
Milestone
1.0.0-alpha.1
Development

No branches or pull requests
1 participant
@aeneasr