Identityserver4: Considering user's previous consent while logging-in again to a client asking for a Refresh Token

Created on 16 Mar 2017  ·  10Comments  ·  Source: IdentityServer/IdentityServer4

It occurred to us that whenever a user logs in again to a client that he has already consented to give access to his resources (and specifically to offline_access - meaning the client will get a refresh token), he has to consent again.
Our app contains sensitive data, once a user logs in he has access to financial operations. We must re-authenticate the identity of the user at least once a day. Making the user consent on every log in can get tedious.

I just think of real life applications - you don't consent every time you login again to an app using FB / Google account.

question
Source
picture urielb92

Most helpful comment

Your easiest approach for this now is to replace (or derive from) our default consent service: https://github.com/IdentityServer/IdentityServer4/blob/dev/src/IdentityServer4/Services/DefaultConsentService.cs

and then copy the code from RequiresConsent: https://github.com/IdentityServer/IdentityServer4/blob/dev/src/IdentityServer4/Services/DefaultConsentService.cs#L50

but leave out the check for offline access: https://github.com/IdentityServer/IdentityServer4/blob/dev/src/IdentityServer4/Services/DefaultConsentService.cs#L72

picture brockallen on 20 Mar 2017
👍2

All 10 comments

I can see that being not so nice. Let's see what we can do about it @brockallen

leastprivilege picture leastprivilege on 16 Mar 2017
👍2

Got a hint from Johnny to set the RequireConsent flag to false in the Client registration.

http://stackoverflow.com/questions/42834138/permission-grant-page-will-always-be-shown-when-using-identityserver4/42837395#42837395

twenzel picture twenzel on 16 Mar 2017
👍1

@twenzel But I want to prompt a consent screen. I just don't want to show it every single time the user logs in.

urielb92 picture urielb92 on 16 Mar 2017

@urielb92 you're right. Let's see what leastprivilege or brockallen says.

twenzel picture twenzel on 16 Mar 2017

If you were interested in the rights of the user to their own data you should allow the user to decide if the consent is durable.

thx ..tom

From: urielb92notifications@github.com
Sent: Thursday, March 16, 2017 8:34 AM
To: IdentityServer/IdentityServer4IdentityServer4@noreply.github.com
Cc: Subscribedsubscribed@noreply.github.com
Subject: Re: [IdentityServer/IdentityServer4] Considering user's previous consent while logging-in again to a client asking for a Refresh Token (#928)

@twenzelhttps://github.com/twenzel But I want to show a consent. I just don't want to show it every single time the user logs in.


You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHubhttps://github.com/IdentityServer/IdentityServer4/issues/928#issuecomment-287095026, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AKxq1v3WKitjylI9BXJcMb2QcFi7O2Giks5rmVX-gaJpZM4MfBkX.

TomCJones picture TomCJones on 16 Mar 2017

We had a look - in https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess

it says:

The OP MUST always obtain consent to returning a Refresh Token that enables offline access to the requested resources.

We are looking into a way on how to modify this behavior - but not sure yet if this will be possible without a breaking change.

leastprivilege picture leastprivilege on 20 Mar 2017
👍1

Okay, thanks a lot for the update!

We turned consent off for now, and thinking of alternatives, maybe a one-time consent in the registration page.
Not ideal, but we need the login experience to be as smooth and easy as possible, we can't compromise in that area.

We'll keep track of this issue, hoping it will be possible to implement without breaking the current implementation.
Again, thanks for the awesome job 👍

urielb92 picture urielb92 on 20 Mar 2017

Your easiest approach for this now is to replace (or derive from) our default consent service: https://github.com/IdentityServer/IdentityServer4/blob/dev/src/IdentityServer4/Services/DefaultConsentService.cs

and then copy the code from RequiresConsent: https://github.com/IdentityServer/IdentityServer4/blob/dev/src/IdentityServer4/Services/DefaultConsentService.cs#L50

but leave out the check for offline access: https://github.com/IdentityServer/IdentityServer4/blob/dev/src/IdentityServer4/Services/DefaultConsentService.cs#L72

brockallen picture brockallen on 20 Mar 2017
👍2

I think you have a sufficient workaround, so I'll close this now.

brockallen picture brockallen on 20 Mar 2017

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

lock[bot] picture lock[bot] on 14 Jan 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

brockallen picture brockallen  ·  3Comments
createroftheearth picture createroftheearth  ·  3Comments
agilenut picture agilenut  ·  3Comments
klioqc picture klioqc  ·  3Comments
ekarlso picture ekarlso  ·  3Comments