Re: [OAUTH-WG] Is authorization challenge always needed in OIDC OAuth2 servers ?

Justin Richer <> Wed, 21 October 2015 13:37 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 604A41A8722 for <>; Wed, 21 Oct 2015 06:37:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 4j7IBt7E1Psj for <>; Wed, 21 Oct 2015 06:37:55 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 4486C1A7D83 for <>; Wed, 21 Oct 2015 06:37:54 -0700 (PDT)
X-AuditID: 12074424-f79106d000007367-9d-562795308f55
Received: from ( []) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id 46.6E.29543.13597265; Wed, 21 Oct 2015 09:37:53 -0400 (EDT)
Received: from ( []) by (8.13.8/8.9.2) with ESMTP id t9LDbqNp013074; Wed, 21 Oct 2015 09:37:52 -0400
Received: from [] ( []) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by (8.13.8/8.12.4) with ESMTP id t9LDbo3V030467 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Wed, 21 Oct 2015 09:37:51 -0400
To: Sergey Beryozkin <>,
References: <> <> <> <>
From: Justin Richer <>
Message-ID: <>
Date: Wed, 21 Oct 2015 09:37:48 -0400
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrDIsWRmVeSWpSXmKPExsUixG6noms4VT3MYPoaTouTb1+xWfxbau/A 5LFz1l12jyVLfjIFMEVx2aSk5mSWpRbp2yVwZTQvjS24KFJx7PwhtgbGqwJdjJwcEgImEv0P +5kgbDGJC/fWs3UxcnEICSxmkuj58xnK2cgoMfnEQSYI5zaTxNmF59hAWoQFoiU6J+4Bs0UE rCVuPJ7OCFH0mlFi29L/YHPZBFQlpq9pAbN5BdQkFq5dC2azAMW/9m8Es0UFYiTeb1rFCFEj KHFy5hMWEJtTQFNi+bv/7CA2s4CtxJ25u5khbHmJ7W/nME9gFJiFpGUWkrJZSMoWMDKvYpRN ya3SzU3MzClOTdYtTk7My0st0jXXy80s0UtNKd3ECA5UF5UdjM2HlA4xCnAwKvHwflioFibE mlhWXJl7iFGSg0lJlDekRz1MiC8pP6UyI7E4I76oNCe1+BCjBAezkghvdTdQjjclsbIqtSgf JiXNwaIkzrvpB1+IkEB6YklqdmpqQWoRTFaGg0NJgvfNZKBGwaLU9NSKtMycEoQ0EwcnyHAe oOEBU0CGFxck5hZnpkPkTzEqSonzWoAkBEASGaV5cL2gRJLw9rDpK0ZxoFeEeXVBqniASQiu +xXQYCagwQsfqYIMLklESEk1MKbtdlOr+3VY6oTK6t9zVY6ciLB/9/ZAZ5OBs5rkqlW/TCYq RbWXb6htnC0Yw7D4RprMxIMm3/WvqvAyC+3l6eVYW7Jijk+KtRCT3KHfV2TT/9QeKBBU3LNk fkucUSt7uKVRY8mlzZEHEv/LXPi9c6bVD4+sljiWymcOhzOumvHfnHxzV8nSYCWW4oxEQy3m ouJEAHH7IAX/AgAA
Archived-At: <>
Subject: Re: [OAUTH-WG] Is authorization challenge always needed in OIDC OAuth2 servers ?
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 21 Oct 2015 13:37:57 -0000

You're assuming that the user actually took an action to get to that 
page. It's trivial for a website, any website, to craft a URL and 
redirect a user to the IdP. I could give you a link here in this email 
hidden behind a URL shortener or some other redirector. It would be very 
bad practice to release identity information to any site that was 
capable of doing this, and it would be likewise bad to assume 
authorization just because the user showed up at a URL. The ID token 
contains information like a unique identifier and potentially other 
claims (google puts in email addresses, for instance).

The common practice, codified in both OAuth2 and OIDC, is "Trust On 
First Use", or TOFU. If it's a new situation (new client/RP, new scopes, 
something else you're not sure about), you ask the user. Then you 
(optionally) save that for next time, so if the same situation arises, 
you already have the user's decision and you don't need to prompt them. 
This can be further augmented by whitelisting trusted sites, where the 
IdP/AS is making the authorization decision and not the user.

Hope this helps,
  -- Justin

On 10/21/2015 9:06 AM, Sergey Beryozkin wrote:
> Hi
> I can not subscribe to an OIDC spec list, had some earlier questions 
> not flowing to the list and given I'm not sure this question is 
> irrelevant for this group (OIDC IDP is an OAuth2 server), I'm posting 
> it here. If you'd like me to re-post to the OIDC list then let me know 
> please...Sorry for a noise, just in case :-)
> So, all the flows in OIDC Core have this section:
> This is pure OAuth2 still.
> What I do not understand, if the response_type is 'id_token' and the 
> requested scope is 'openid' only,
> then what is a consent screen really about ?
> If the response_code is 'id_token' then a user has already given the 
> implicit authorization after visiting a client application web page 
> and clicking "Sign In With Google"/etc, and signing in into OIDC IDP. 
> I thought this is what "openid" alone is all about.
> Can someone clarify please if it is reasonable to skip challenging a 
> user with a consent screen in this case.
> Thanks, Sergey
> _______________________________________________
> OAuth mailing list