[OAUTH-WG] Is authorization challenge always needed in OIDC OAuth2 servers ?
Sergey Beryozkin <sberyozkin@gmail.com> Wed, 21 October 2015 13:06 UTC
Return-Path: <sberyozkin@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5E9771A6FCD for <oauth@ietfa.amsl.com>; Wed, 21 Oct 2015 06:06:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oZI3BEPMwJyr for <oauth@ietfa.amsl.com>; Wed, 21 Oct 2015 06:06:16 -0700 (PDT)
Received: from mail-wi0-x236.google.com (mail-wi0-x236.google.com [IPv6:2a00:1450:400c:c05::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5C5681A6FCF for <oauth@ietf.org>; Wed, 21 Oct 2015 06:06:15 -0700 (PDT)
Received: by wijp11 with SMTP id p11so94098308wij.0 for <oauth@ietf.org>; Wed, 21 Oct 2015 06:06:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-type:content-transfer-encoding; bh=8voMXGJXrmvuZl7O4BT8Wqn0P34dfwJimbUav3MDhQQ=; b=ViDgdFcvr2ZtFvArqOVuvyTWl82gWhbeohqHkVNv31Rhm4wYyEPhhHHJuxY2aBzwgX sOS3ynBp/Td+Zfl+2V7q/0yMCiji4mZkVop4UbdwkfGWgDWH0kkSmpvD9ZiPtoqHy0Tx Kqh82yDfFfGlVDP5wSmh7J6ctNbYIdckTe67xr6NroNKhCNQJfKKSOMdPNUcZ6/PMRf1 Raw98PtZSTeir34LssSTSgEfMeCCW9eutCLD1gsIECw8QHOPqg2dBd+4bW354dcXVJ8J sBthI12aDGcmCmYxkpIJW2Ur+YMANZHmjTEg1sCL/EZjGzRgQAS3z+fe6XSKDSzALwTB CRxA==
X-Received: by 10.194.118.234 with SMTP id kp10mr10893076wjb.59.1445432773985; Wed, 21 Oct 2015 06:06:13 -0700 (PDT)
Received: from [10.36.226.98] ([80.169.137.63]) by smtp.googlemail.com with ESMTPSA id jh4sm5866620wjb.33.2015.10.21.06.06.12 for <oauth@ietf.org> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 21 Oct 2015 06:06:13 -0700 (PDT)
To: oauth@ietf.org
References: <CABPN19_wYVEvqEU85FDZMYe6k8E8qkL0gGDvFeQMXaaQt+yAbQ@mail.gmail.com> <CAEayHEM=nHk9TbTFno+7otwNry++cYGcGcGuNM7mi19gE5KjcA@mail.gmail.com> <41395617-E5A9-4294-9F8B-DFE9E27F74F8@xmlgrrl.com>
From: Sergey Beryozkin <sberyozkin@gmail.com>
Message-ID: <56278DC4.3060600@gmail.com>
Date: Wed, 21 Oct 2015 14:06:12 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0
MIME-Version: 1.0
In-Reply-To: <41395617-E5A9-4294-9F8B-DFE9E27F74F8@xmlgrrl.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/RytF2qWXx9wuLWcLyl5ycsJK2hQ>
Subject: [OAUTH-WG] Is authorization challenge always needed in OIDC OAuth2 servers ?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Oct 2015 13:06:18 -0000
Hi I can not subscribe to an OIDC spec list, had some earlier questions not flowing to the list and given I'm not sure this question is irrelevant for this group (OIDC IDP is an OAuth2 server), I'm posting it here. If you'd like me to re-post to the OIDC list then let me know please...Sorry for a noise, just in case :-) So, all the flows in OIDC Core have this section: http://openid.net/specs/openid-connect-core-1_0.html#Consent http://openid.net/specs/openid-connect-core-1_0.html#ImplicitConsent http://openid.net/specs/openid-connect-core-1_0.html#HybridConsent This is pure OAuth2 still. What I do not understand, if the response_type is 'id_token' and the requested scope is 'openid' only, http://openid.net/specs/openid-connect-core-1_0.html#Authentication then what is a consent screen really about ? If the response_code is 'id_token' then a user has already given the implicit authorization after visiting a client application web page and clicking "Sign In With Google"/etc, and signing in into OIDC IDP. I thought this is what "openid" alone is all about. Can someone clarify please if it is reasonable to skip challenging a user with a consent screen in this case. Thanks, Sergey
- [OAUTH-WG] Auth Server / Resource Server Coordina… Ofer Nave
- Re: [OAUTH-WG] Auth Server / Resource Server Coor… Bill Mills
- Re: [OAUTH-WG] Auth Server / Resource Server Coor… Jim Manico
- Re: [OAUTH-WG] Auth Server / Resource Server Coor… Ofer Nave
- Re: [OAUTH-WG] Auth Server / Resource Server Coor… Ofer Nave
- Re: [OAUTH-WG] Auth Server / Resource Server Coor… Justin Richer
- Re: [OAUTH-WG] Auth Server / Resource Server Coor… Vladimir Dzhuvinov
- Re: [OAUTH-WG] Auth Server / Resource Server Coor… Thomas Broyer
- Re: [OAUTH-WG] Auth Server / Resource Server Coor… Ofer Nave
- Re: [OAUTH-WG] Auth Server / Resource Server Coor… Ofer Nave
- Re: [OAUTH-WG] Auth Server / Resource Server Coor… Ofer Nave
- Re: [OAUTH-WG] Auth Server / Resource Server Coor… Ofer Nave
- Re: [OAUTH-WG] Auth Server / Resource Server Coor… Bill Mills
- Re: [OAUTH-WG] Auth Server / Resource Server Coor… Eve Maler
- [OAUTH-WG] Is authorization challenge always need… Sergey Beryozkin
- Re: [OAUTH-WG] Is authorization challenge always … Justin Richer
- Re: [OAUTH-WG] Is authorization challenge always … Sergey Beryozkin