Re: [OAUTH-WG] Can the repeated authorization of scopes be avoided ?

Justin Richer <> Mon, 18 January 2016 11:48 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id D17F11B3572 for <>; Mon, 18 Jan 2016 03:48:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id fuoOkkkzUCln for <>; Mon, 18 Jan 2016 03:48:00 -0800 (PST)
Received: from ( []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 5C2BB1B3573 for <>; Mon, 18 Jan 2016 03:48:00 -0800 (PST)
X-AuditID: 12074425-f793c6d000006975-c1-569cd0eee865
Received: from ( []) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id E5.27.26997.EE0DC965; Mon, 18 Jan 2016 06:47:58 -0500 (EST)
Received: from ( []) by (8.13.8/8.9.2) with ESMTP id u0IBlw8p013925; Mon, 18 Jan 2016 06:47:58 -0500
Received: from [IPv6:2607:fb90:e6d:4da5:0:4e:efc7:b501] ( []) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by (8.13.8/8.12.4) with ESMTP id u0IBlti4018320 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Mon, 18 Jan 2016 06:47:57 -0500
Date: Mon, 18 Jan 2016 06:47:54 -0500
Message-ID: <>
Importance: normal
From: Justin Richer <>
To: Sergey Beryozkin <>,
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary=""
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrNIsWRmVeSWpSXmKPExsUixG6novvuwpwwg2fXzSxOvn3FZvFvqb0D k8fOWXfZPZYs+ckUwBTFZZOSmpNZllqkb5fAlTH9wyf2gpfaFd9WdbM0MB7U6mLk5JAQMJG4 0NDBAmGLSVy4t54NxBYSWMwk0fcgoYuRC8jeyCix7Pw/ZgjnNpPEhBWTWUGqWARUJVoWTgXq 4OAQFvCXuHAkA8TkFXCT+LqhFMTkFBCS6NolAVLMBlQ8fU0LE4gtImAtcePxdEYQm1dAUOLk zCdgJzALhEjMPjqLaQIj7ywkqVlIUhC2usSfeZeYIWxFiSndD9lnAW1jFlCTWNaqhCy8gJFt FaNsSm6Vbm5iZk5xarJucXJiXl5qka6FXm5miV5qSukmRnB4uqjuYJxwSOkQowAHoxIPr8PZ 2WFCrIllxZW5hxglOZiURHmzz88JE+JLyk+pzEgszogvKs1JLT7EKMHBrCTCG7weKMebklhZ lVqUD5OS5mBREuf9VjklTEggPbEkNTs1tSC1CCYrw8GhJMFbDjJUsCg1PbUiLTOnBCHNxMEJ MpwHaPhRkBre4oLE3OLMdIj8KUZTKXHelyAJAZBERmkeXK+SkJCAGvvvCXy5vksZGBj83h/f yghKMxfMVOa8YhQHek+YtwikkweYouAmvgJaxgS07KfHbJBlJYkIKakGxlLfhZFXGw+FvmCr +PNpRdoPExO+608vnrRh5OgtnL5A+tWioIY315Meeob9cb847YBtTeAXqx2PtL6EKFSYbLU6 6FSmePr76+lsh3Xf8vQeNrC4uanhqPV2l8q5b9rvqVjsvFeofTxkh7n7iz132Da7c7kwno4s 2Du/dmtG0fN5t+Qnr3L4KqfEUpyRaKjFXFScCAACFzslDgMAAA==
Archived-At: <>
Subject: Re: [OAUTH-WG] Can the repeated authorization of scopes be avoided ?
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 18 Jan 2016 11:48:03 -0000

Yes, this is common practice. Give the user the option to remember the decision. This is known as "trust on first use", or tofu. Our server, MITREid Connect, implements this as do many others. 

-- Justin
/ Sent from my phone /

-------- Original message --------
From: Sergey Beryozkin <> 
Date: 1/18/2016  5:59 AM  (GMT-05:00) 
Subject: [OAUTH-WG] Can the repeated authorization of scopes be avoided ? 

Hi All

The question relates to the process of showing the authorization 
code/implicit flow consent screen to a user.

I'm discussing with my colleagues the possibility of avoiding asking the 
same user whose session has expired and who is re-authenticating with AS 
which scopes should be approved.

For example, suppose the OAuth2 client redirects a user with the 
requested scope 'a'. The user signs in to AS and is shown a consent 
screen asking to approve the 'a' scope. The user approves 'a' and the 
flow continues.

Some time later, when the user's session has expired, the user is 
redirected to AS with the same 'a' scope.

Would it be a good idea, at this point, not to show the user the consent 
screen asking to approve the 'a' scope again ? For example, AS can 
persist the fact that a given user has already approved 'a' for a given 
client earlier, so when the user re-authenticates, AS will use this info 
and will avoid showing the consent screen.

That seems to make sense, but I'm wondering, can there be some security 
implications associated with it, any recommendations/advices will be welcome


OAuth mailing list