Re: [OAUTH-WG] Is authorization challenge always needed in OIDC OAuth2 servers ?

Sergey Beryozkin <> Wed, 21 October 2015 14:01 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id F0B701A8860 for <>; Wed, 21 Oct 2015 07:01:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id UbCcT5qvYXoI for <>; Wed, 21 Oct 2015 07:01:45 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:400c:c05::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id EECE21A8870 for <>; Wed, 21 Oct 2015 07:01:44 -0700 (PDT)
Received: by wijp11 with SMTP id p11so96647483wij.0 for <>; Wed, 21 Oct 2015 07:01:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-type:content-transfer-encoding; bh=EzDqEma1fBt1G96EHXZH5CURFA+EzJD3XYcmFR2eeLY=; b=y2RdqlRU/cRtGRlrFjKlH94A423Nx0F+sKzw6r4sdkmB/Vxrikk3naPjQacU1AiH6R iWTV6f9oEci8j8RJgZe2qqt/Y0Y5UHznPVd/nyBmOfp+52wcSyjwIZluK3y3ZqSFDjNE nfjWhAfEHXY021Py0yUvWsgzhV1C0lg6XuXRbdpCep7dVTbilpK1QfGIkQB8BhafxE9t 5RRRZSPp0vht6KenEicQ0l0XLpkKJVVmEtipCNq5jwh1CCYfk2JJY9+bl4hr8fRXnm/T XEGVrEtft7p7EooiScV6dtbgmkW6LTcgNT4Sq3XheiIsH5SDr3cZuRszymf8nZPMwbmD mMjw==
X-Received: by with SMTP id ev16mr33356504wid.40.1445436103517; Wed, 21 Oct 2015 07:01:43 -0700 (PDT)
Received: from [] ([]) by with ESMTPSA id cc8sm10603222wjc.46.2015. (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 21 Oct 2015 07:01:42 -0700 (PDT)
To: Justin Richer <>,
References: <> <> <> <> <>
From: Sergey Beryozkin <>
Message-ID: <>
Date: Wed, 21 Oct 2015 15:01:41 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [OAUTH-WG] Is authorization challenge always needed in OIDC OAuth2 servers ?
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 21 Oct 2015 14:01:47 -0000

Hi Justin

It helps, many thanks. I understand why 'MUST' is there now...

Cheers, Sergey

On 21/10/15 14:37, Justin Richer wrote:
> You're assuming that the user actually took an action to get to that
> page. It's trivial for a website, any website, to craft a URL and
> redirect a user to the IdP. I could give you a link here in this email
> hidden behind a URL shortener or some other redirector. It would be very
> bad practice to release identity information to any site that was
> capable of doing this, and it would be likewise bad to assume
> authorization just because the user showed up at a URL. The ID token
> contains information like a unique identifier and potentially other
> claims (google puts in email addresses, for instance).
> The common practice, codified in both OAuth2 and OIDC, is "Trust On
> First Use", or TOFU. If it's a new situation (new client/RP, new scopes,
> something else you're not sure about), you ask the user. Then you
> (optionally) save that for next time, so if the same situation arises,
> you already have the user's decision and you don't need to prompt them.
> This can be further augmented by whitelisting trusted sites, where the
> IdP/AS is making the authorization decision and not the user.
> Hope this helps,
>   -- Justin
> On 10/21/2015 9:06 AM, Sergey Beryozkin wrote:
>> Hi
>> I can not subscribe to an OIDC spec list, had some earlier questions
>> not flowing to the list and given I'm not sure this question is
>> irrelevant for this group (OIDC IDP is an OAuth2 server), I'm posting
>> it here. If you'd like me to re-post to the OIDC list then let me know
>> please...Sorry for a noise, just in case :-)
>> So, all the flows in OIDC Core have this section:
>> This is pure OAuth2 still.
>> What I do not understand, if the response_type is 'id_token' and the
>> requested scope is 'openid' only,
>> then what is a consent screen really about ?
>> If the response_code is 'id_token' then a user has already given the
>> implicit authorization after visiting a client application web page
>> and clicking "Sign In With Google"/etc, and signing in into OIDC IDP.
>> I thought this is what "openid" alone is all about.
>> Can someone clarify please if it is reasonable to skip challenging a
>> user with a consent screen in this case.
>> Thanks, Sergey
>> _______________________________________________
>> OAuth mailing list

Sergey Beryozkin

Talend Community Coders