- edited description
offline_access prior consent and application_type
Core section 11 https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess
Upon receipt of a scope parameter containing the
offline_access
value, the Authorization Server:
- MUST ensure that the prompt parameter contains
consent
unless other conditions for processing the request permitting offline access to the requested resources are in place; unless one or both of these conditions are fulfilled, then it MUST ignore theoffline_access
request,- MUST ignore the
offline_access
request unless the Client is using aresponse_type
value that would result in an Authorization Code being returned,- MUST explicitly receive or have consent for all Clients when the registered
application_type
isweb
- SHOULD explicitly receive or have consent for all Clients when the registered
application_type
isnative
.
- What is the history behind the last two points? Since
prompt
is being requested anyway an explicit consent is already being rendered. - Isn't the MUST/SHOULD mistakenly switched between the two application types?
- Why
for all Clients
?
Comments (8)
-
reporter -
I think that the SHOULD for native applications is there because you may be implicitly consenting to use the native app by downloading and running it. Furthermore, mobile OSs tend to have explicit resource access consent prompts.
-
+1 to what Mike said
In addition, the thinking was that it is a MUST for web clients to obtain explicit user consent for the offline_access scope because it should not be possible for a user to go through an authentication/authorization event and not know that they are granting consent to the confidential client to access their data when they are not present. Without this MUST, a web property could request the user to go through an "email verification" flow and then tack on the "offline_access" scope and if the user doesn't see consent, then the property could have long lived access to the user's data without their knowledge or consent.
Finally, I don't believe the first point is requiring prompt=consent in the request per the "unless other conditions" clause.
Hope that helps
-
We should change "for all Clients" for the Client, since the current text is misleading.
-
-
assigned issue to
-
assigned issue to
-
- changed status to open
-
-
- changed status to resolved
- Log in to comment