Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Can't validate access token via OAuth2/OpenID Connect with prompt=none parameter on WSO2 Identity Server

An according to OpenID Connect Core 1.0 specification, if authentication request contains parameter prompt with value none, server must process it the following way:

The Authorization Server MUST NOT display any authentication or consent user interface pages. An error is returned if an End-User is not already authenticated or the Client does not have pre-configured consent for the requested Claims or does not fulfill other conditions for processing the request. The error code will typically be login_required, interaction_required, or another code defined in Section 3.1.2.6. This can be used as a method to check for existing authentication and/or consent.

My problem is that whenever I try to validate access token received before this way (passing prompt=none pair along with other required parameters), WSO2 IS server always replies with code 302 and redirect to login page. Below is the corresponding output from following cURL command:

curl -v -k -X GET "https://localhost:9443/oauth2/authorize?prompt=none&scope=openid&client_id=BpMCycs5nBuZCpVLwSE5f6Hf5CYa&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fmy-app%2Fmy-ctx" --header "Authorization: Bearer a65544593fg9c67rbf95fc24a6953cb4"

> GET /oauth2/authorize?prompt=none&scope=openid&client_id=BpMCycs5nBuZCpVLwSE5f
6Hf5CYa&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fmy-app%2Fmy-ctx HTTP/1.1
> User-Agent: curl/7.30.0
> Host: localhost:9443
> Accept: */*
> Authorization: Bearer a65544593fg9c67rbf95fc24a6953cb4
>
< HTTP/1.1 302 Found
< Date: Thu, 14 Aug 2014 17:01:17 GMT
< Location: https://localhost:9443/commonauth/?sessionDataKey=bf5be153-4j31-429b
-9fa6-97rr27da213&type=oidc&commonAuthCallerPath=/oauth2/authorize&forceAuthent
icate=false&checkAuthentication=false&relyingParty=BpKCycd5dBfZdpVswSE5f6Hf5CYa&
tenantId=-1234&prompt%3Dnone%26scope%3Dopenid%26client_id%3DBpKCycr5dBuZCpVBwSE5
f6Hf5CYa%26response_type%3Dcode%26redirect_uri%3Dhttp%253A%252F%252Flocalhost%25
3A8080%252Fmy-app%252Fmy-ctx

Could someone tell me - it's problem in authentication request itself and I did something wrong or WSO2 IS server behaviour in this case doesn't conform to the specification?

I work with WSO2 Identity Server 5.0.0

Thanks in advance for your answers!

like image 554
lester Avatar asked Nov 01 '22 18:11

lester


1 Answers

According to the spec The prompt parameter can be used by the Client to make sure that the End-User is still present for the current session or to bring attention to the request. If this parameter contains none with any other value, an error is returned.

But in this request only send none as prompt value, So prompt value is set to none with any other value it gives an error.

Example:

curl -v -k -X GET "https://localhost:9444/oauth2/authorize?prompt=none+login&scope=openid..."

like image 159
Ishara Avatar answered Nov 13 '22 03:11

Ishara