Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

When prompt=none is set, reauthorizing with a smaller set of scopes causes an error #63

Open
meagar opened this issue Feb 7, 2019 · 1 comment
Open

When prompt=none is set, reauthorizing with a smaller set of scopes causes an error #63

meagar opened this issue Feb 7, 2019 · 1 comment
Labels
bug

Comments

@meagar
Copy link
Contributor

meagar commented Feb 7, 2019
edited
Loading

If I have previously authorized with a Doorkeeper-OIDC-based IDP using scope=openid+email+name, a prompt=none authorization request with a more narrow set of claims, such as scope=openid+email will fail. The error will indicate that user consent is required, however I think this is incorrect. The user has already granted consent for the email and name claims; my reauthorization request is only requesting the email claim, so I believe the correct behavior is to generate and return a new access token with the openid and email claims.

If this is in fact a bug, the problem seems to be that an exact match between the incoming scopes and previously granted access token's scopes is required by this method:

# lib/doorkeeper/openid_connect/helpers/controller.rb

# ....
def handle_prompt_param!(owner)
# ...
  prompt_values.each do |prompt|
    case prompt
    when 'none' then
      # ...
      raise Errors::ConsentRequired unless matching_tokens_for_resource_owner(owner).present?

# ...

def matching_tokens_for_resource_owner(owner)
  Doorkeeper::AccessToken.authorized_tokens_for(pre_auth.client.id, owner.id).select do |token|
    Doorkeeper::AccessToken.scopes_match?(token.scopes, pre_auth.scopes, pre_auth.client.scopes)
  end
end

https://github.com/doorkeeper-gem/doorkeeper-openid_connect/blob/master/lib/doorkeeper/openid_connect/helpers/controller.rb#L79
@toupeira toupeira added the bug label Feb 8, 2019
@toupeira toupeira mentioned this issue Feb 8, 2019
Closed
@toupeira
Copy link
Member

toupeira commented Feb 8, 2019

@meagar thanks for the report! I think you're right:

The user has already granted consent for the email and name claims; my reauthorization request is only requesting the email claim, so I believe the correct behavior is to generate and return a new access token with the openid and email claims.

That is what I would expect as well, I can't find anything concrete in the specs except for this section:

Refresh tokens are issued to the client by the authorization server and are used to obtain a new access token when the current access token becomes invalid or expires, or to obtain additional access tokens with identical or narrower scope

I've started to look into this in #65, but the problem is that Doorkeeper also performs an exact match in https://github.com/doorkeeper-gem/doorkeeper/blob/9ae5f9fff7234123216ae56f37c73534a7373654/lib/doorkeeper/models/access_token_mixin.rb#L104. So even though the OIDC code won't raise an error anymore, Doorkeeper will still render the authorization form.

I'll open an issue on the Doorkeeper gem!

@toupeira toupeira mentioned this issue Feb 8, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

WIP: Support reauthorization with a narrower set of scopes doorkeeper-gem/doorkeeper-openid_connect
2 participants
@toupeira @meagar