An according to OpenID Connect Core 1.0 specification, if authentication request contains parameter prompt
with value none
, server must process it the following way:
The Authorization Server MUST NOT display any authentication or consent user interface pages. An error is returned if an End-User is not already authenticated or the Client does not have pre-configured consent for the requested Claims or does not fulfill other conditions for processing the request. The error code will typically be login_required, interaction_required, or another code defined in Section 3.1.2.6. This can be used as a method to check for existing authentication and/or consent.
My problem is that whenever I try to validate access token received before this way (passing prompt=none
pair along with other required parameters), WSO2 IS server always replies with code 302 and redirect to login page. Below is the corresponding output from following cURL command:
curl -v -k -X GET "https://localhost:9443/oauth2/authorize?prompt=none&scope=openid&client_id=BpMCycs5nBuZCpVLwSE5f6Hf5CYa&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fmy-app%2Fmy-ctx" --header "Authorization: Bearer a65544593fg9c67rbf95fc24a6953cb4"
> GET /oauth2/authorize?prompt=none&scope=openid&client_id=BpMCycs5nBuZCpVLwSE5f
6Hf5CYa&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fmy-app%2Fmy-ctx HTTP/1.1
> User-Agent: curl/7.30.0
> Host: localhost:9443
> Accept: */*
> Authorization: Bearer a65544593fg9c67rbf95fc24a6953cb4
>
< HTTP/1.1 302 Found
< Date: Thu, 14 Aug 2014 17:01:17 GMT
< Location: https://localhost:9443/commonauth/?sessionDataKey=bf5be153-4j31-429b
-9fa6-97rr27da213&type=oidc&commonAuthCallerPath=/oauth2/authorize&forceAuthent
icate=false&checkAuthentication=false&relyingParty=BpKCycd5dBfZdpVswSE5f6Hf5CYa&
tenantId=-1234&prompt%3Dnone%26scope%3Dopenid%26client_id%3DBpKCycr5dBuZCpVBwSE5
f6Hf5CYa%26response_type%3Dcode%26redirect_uri%3Dhttp%253A%252F%252Flocalhost%25
3A8080%252Fmy-app%252Fmy-ctx
Could someone tell me - it's problem in authentication request itself and I did something wrong or WSO2 IS server behaviour in this case doesn't conform to the specification?
I work with WSO2 Identity Server 5.0.0
Thanks in advance for your answers!
According to the spec The prompt parameter can be used by the Client to make sure that the End-User is still present for the current session or to bring attention to the request. If this parameter contains none with any other value, an error is returned.
But in this request only send none as prompt value, So prompt value is set to none with any other value it gives an error.
Example:
curl -v -k -X GET "https://localhost:9444/oauth2/authorize?prompt=none+login&scope=openid..."
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With