Multiple consent sessions missing `login_challenge` and `login_session_id`

cburmeister · June 5, 2020, 7:36pm

Hi!

We’re running Hydra alongside a web application and a mobile application.

Both are requesting openid offline scope and a code response type. The mobile application is using PKCE and providing a code_challenge and code_challenge_method.

As users log into the web application (multiple devices, browsers, etc) only a single consent session is ever created.

As users log into our mobile application we are seeing multiple consent sessions created that are missing login_challenge and login_session_id values. Only the first has these values set.

Any help determining why this is happening would be appreciated!

hackerman · June 8, 2020, 9:19am

Sorry, I don’t really understand the problem. Could you please provide a more detailed example, with configuration, the version you use, and so on. Thanks!

cburmeister · June 8, 2020, 6:27pm

Thanks for the reply! I’ll try to elaborate.

The problem is that Hydra is creating duplicate consent sessions for the same client_id and subject pair.

We’re using the ory/hydra:v1.2.0 image and this is how we create our client:

hydra clients create \
    --endpoint http://localhost:4445 \
    --grant-types authorization_code,refresh_token \
    --response-types code,id_token \
    --scope openid,offline \
    --callbacks company://oauth/success \
    --token-endpoint-auth-method none \
    --client-uri https://company.com/app \
    --post-logout-callbacks company://oauth/logout

We take the generated client_id and configure the OAuth 2.0 library in our application.

Imagine the user logs into the application, logs out, then logs back in again.

When we list all consent sessions of a subject we see two sessions.

Is it wrong to assume that there should only be a single consent session since the client_id and subject are the same?

hackerman · June 9, 2020, 11:10am

Did you set remember: true? Also I recommend upgrading to a newer version!

cburmeister · June 9, 2020, 4:02pm

@hackerman yes we’re setting remember: true for each login/consent request

hackerman · June 9, 2020, 4:13pm

Are you requesting different scopes in each request? It’s also possible that there was a bug in 1.2 which is resolved in newer versions. I remember that we fixed a couple of things there.

cburmeister · June 9, 2020, 5:52pm

Negative – if I diff the two consent session payloads from the REST API the only differences are the challenge field (which makes sense) except the most recent one has an empty string for the login_challenge and login_session_id.

I’ll try upgrading and then report back!