Skip to content

Consent screen is only skipped for the same scope set as the last token #899

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
powelski opened this issue Nov 30, 2018 · 6 comments
Closed

Consent screen is only skipped for the same scope set as the last token #899

powelski opened this issue Nov 30, 2018 · 6 comments
Labels
needs more info

Comments

@powelski
Copy link

Currently, the consent screen is skipped only if we request the exact same scopes as we did for the previous token. I think it could be improved to only display consent screen if there is a new scope requested. In other words, a scope that is not present in any active token for this user.

Example: now, if we previously granted scopeA, scopeB and scopeC to some app and then have another token requested for scopeA and scopeC, the consent screen will be displayed. But if we request a token for the exact same set of scopes (scopeA, scopeB, scopeC), the consent screen is skipped. Also, if after accepting token for scopeA, scopeB and scopeC we accept another token for scopeA and scopeC, another token request will only skip consent screen for scopeA and scopeC set. I don't see why would we want to skip the consent screen only for the exact same scope set as the last token we requested.
@powelski powelski changed the title Consent screen is only skipped for the same scope of the last token Consent screen is only skipped for the same scope set as the last token Nov 30, 2018
@driesvints
Copy link
Member

Can we first check if this conforms to the OAuth2 spec?

@driesvints
Copy link
Member

@Sephster what's your take in this?

@Sephster
Copy link
Contributor

The mechanism that @powelski is describing, is the same way that refresh tokens work. You can request the same scopes or fewer scopes (all must be included in the original access token request), but you are not able to request additional scopes on a refresh token. However, this is only applicable to a refresh token and not a request for an access token.

To strictly conform to the OAuth 2 spec, I think we should probably be asking for consent every time. There is nothing in the spec about skipping consent if the same client asks for the same scopes again and has previously been approved.

I'm not a hundred percent sure but I suspect working in this manner might risk a slight security issue. I don't think the system should be assuming that consent is given at time x because it was previously given at time y. I'm not familiar with the feature so don't know if there is an expiry time on this behaviour or not, but this would mitigate the risk somewhat.

If the auth code grant is being used, I believe it should always be the user that gives consent to the client.

@driesvints
Copy link
Member

@Sephster so you'd recommend to never skip? We'll need to adjust some things then?

@driesvints
Copy link
Member

I'm going to close this because we haven't gotten any other requests for this. Will be happy to look into this again if it ever becomes a bigger issue.

@powelski
Copy link
Author

This is much of an issue in apps with many scopes, which are granted gradually. I believe Laravel Passport is not too often used heavily, or is used just as it is, with asking for permissions all the time. OAuth 2 can do better.

@hafezdivandari hafezdivandari mentioned this issue Aug 7, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
needs more info
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@driesvints @Sephster @powelski