1. OpenID Foundation Avatar OpenID Foundation
  2. WGs
  3. connect
  4. Issues

offline_access prior consent and application_type

Issue #1062 resolved
Filip Skokan created an issue

Core section 11 https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess

Upon receipt of a scope parameter containing the offline_access value, the Authorization Server:

  • MUST ensure that the prompt parameter contains consent unless other conditions for processing the request permitting offline access to the requested resources are in place; unless one or both of these conditions are fulfilled, then it MUST ignore the offline_access request,
  • MUST ignore the offline_access request unless the Client is using a response_type value that would result in an Authorization Code being returned,
  • MUST explicitly receive or have consent for all Clients when the registered application_type is web
  • SHOULD explicitly receive or have consent for all Clients when the registered application_type is native.
  1. What is the history behind the last two points? Since prompt is being requested anyway an explicit consent is already being rendered.
  2. Isn't the MUST/SHOULD mistakenly switched between the two application types?
  3. Why for all Clients?

Comments (8)

  2. Michael Jones

    I think that the SHOULD for native applications is there because you may be implicitly consenting to use the native app by downloading and running it. Furthermore, mobile OSs tend to have explicit resource access consent prompts.

  3. gffletch

    +1 to what Mike said

    In addition, the thinking was that it is a MUST for web clients to obtain explicit user consent for the offline_access scope because it should not be possible for a user to go through an authentication/authorization event and not know that they are granting consent to the confidential client to access their data when they are not present. Without this MUST, a web property could request the user to go through an "email verification" flow and then tack on the "offline_access" scope and if the user doesn't see consent, then the property could have long lived access to the user's data without their knowledge or consent.

    Finally, I don't believe the first point is requiring prompt=consent in the request per the "unless other conditions" clause.

    Hope that helps

  9. Log in to comment
Assignee
Type
bug
Priority
minor
Status
resolved
Component
Core
Milestone
Errata
Version
Votes
0
Watchers
0
Jira Software: the preferred issue tracker for Bitbucket. Join the team!