[OAUTH-WG] Is authorization challenge always needed in OIDC OAuth2 servers ?

Sergey Beryozkin <sberyozkin@gmail.com> Wed, 21 October 2015 13:06 UTC

Return-Path: <sberyozkin@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 5E9771A6FCD for <oauth@ietfa.amsl.com>; Wed, 21 Oct 2015 06:06:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id oZI3BEPMwJyr for <oauth@ietfa.amsl.com>; Wed, 21 Oct 2015 06:06:16 -0700 (PDT)
Received: from mail-wi0-x236.google.com (mail-wi0-x236.google.com [IPv6:2a00:1450:400c:c05::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5C5681A6FCF for <oauth@ietf.org>; Wed, 21 Oct 2015 06:06:15 -0700 (PDT)
Received: by wijp11 with SMTP id p11so94098308wij.0 for <oauth@ietf.org>; Wed, 21 Oct 2015 06:06:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-type:content-transfer-encoding; bh=8voMXGJXrmvuZl7O4BT8Wqn0P34dfwJimbUav3MDhQQ=; b=ViDgdFcvr2ZtFvArqOVuvyTWl82gWhbeohqHkVNv31Rhm4wYyEPhhHHJuxY2aBzwgX sOS3ynBp/Td+Zfl+2V7q/0yMCiji4mZkVop4UbdwkfGWgDWH0kkSmpvD9ZiPtoqHy0Tx Kqh82yDfFfGlVDP5wSmh7J6ctNbYIdckTe67xr6NroNKhCNQJfKKSOMdPNUcZ6/PMRf1 Raw98PtZSTeir34LssSTSgEfMeCCW9eutCLD1gsIECw8QHOPqg2dBd+4bW354dcXVJ8J sBthI12aDGcmCmYxkpIJW2Ur+YMANZHmjTEg1sCL/EZjGzRgQAS3z+fe6XSKDSzALwTB CRxA==
X-Received: by with SMTP id kp10mr10893076wjb.59.1445432773985; Wed, 21 Oct 2015 06:06:13 -0700 (PDT)
Received: from [] ([]) by smtp.googlemail.com with ESMTPSA id jh4sm5866620wjb.33.2015. for <oauth@ietf.org> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 21 Oct 2015 06:06:13 -0700 (PDT)
To: oauth@ietf.org
References: <CABPN19_wYVEvqEU85FDZMYe6k8E8qkL0gGDvFeQMXaaQt+yAbQ@mail.gmail.com> <CAEayHEM=nHk9TbTFno+7otwNry++cYGcGcGuNM7mi19gE5KjcA@mail.gmail.com> <41395617-E5A9-4294-9F8B-DFE9E27F74F8@xmlgrrl.com>
From: Sergey Beryozkin <sberyozkin@gmail.com>
Message-ID: <56278DC4.3060600@gmail.com>
Date: Wed, 21 Oct 2015 14:06:12 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0
MIME-Version: 1.0
In-Reply-To: <41395617-E5A9-4294-9F8B-DFE9E27F74F8@xmlgrrl.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/RytF2qWXx9wuLWcLyl5ycsJK2hQ>
Subject: [OAUTH-WG] Is authorization challenge always needed in OIDC OAuth2 servers ?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Oct 2015 13:06:18 -0000


I can not subscribe to an OIDC spec list, had some earlier questions not 
flowing to the list and given I'm not sure this question is irrelevant 
for this group (OIDC IDP is an OAuth2 server), I'm posting it here. If 
you'd like me to re-post to the OIDC list then let me know 
please...Sorry for a noise, just in case :-)

So, all the flows in OIDC Core have this section:


This is pure OAuth2 still.

What I do not understand, if the response_type is 'id_token' and the 
requested scope is 'openid' only,


then what is a consent screen really about ?

If the response_code is 'id_token' then a user has already given the 
implicit authorization after visiting a client application web page and 
clicking "Sign In With Google"/etc, and signing in into OIDC IDP. I 
thought this is what "openid" alone is all about.

Can someone clarify please if it is reasonable to skip challenging a 
user with a consent screen in this case.

Thanks, Sergey