Q about / possible bug in remembering consent


#1

Hi,

In my custom login app when I’ve got a remembered session already and try to authenticate again, I’m getting the error below.

Looks like the “remember” parameter in the body of the ‘/oauth2/auth/requests/login/’ + challenge + ‘/accept’ request being true is the culprit. If I conditionally set it to false when the skip param in the ‘/oauth2/auth/requests/login/’ + challenge response was true, I don’t get the error.

From the comment above the remember param in the nodejs pseudo code on https://www.ory.sh/docs/guides/master/hydra/3-overview/1-oauth2#user-login I assumed that the remember param in the accept request would just be ignored if the skip in the login response was true, but that doesn’t seem to be the case.

Is it a bug that the remember param is not being ignored or should the sample/docs be more clear about this? Or am I doing something completely wrong, always a possibility as well :slight_smile:

Note: the same seems to apply to the consent app/flow

LOGS:
hydra_1 | time=“2018-09-07T11:05:20Z” level=info msg=“started handling request” method=PUT remote=“172.18.0.1:57708” request=/oauth2/auth/requests/login/f7d1eb0940a54a90bfca285f304fe359/accept
hydra_1 | time=“2018-09-07T11:05:20Z” level=error msg=“An error occurred while handling a request” code=400 details=“map[]” error=“Can not remember authentication because no user interaction was required” reason= request-id= status= trace=“Stack trace: \ngithub.com/ory/hydra/consent.(*Handler).AcceptLoginRequest\n\t/go/src/github.com/ory/hydra/consent/handler.go:313\ngithub.com/ory/hydra/consent.(*Handler).AcceptLoginRequest-fm\n\t/go/src/github.com/ory/hydra/consent/handler.go:67\ngithub.com/ory/hydra/vendor/github.com/julienschmidt/httprouter.(*Router).ServeHTTP\n\t/go/src/github.com/ory/hydra/vendor/github.com/julienschmidt/httprouter/router.go:299\ngithub.com/ory/hydra/vendor/github.com/urfave/negroni.Wrap.func1\n\t/go/src/github.com/ory/hydra/vendor/github.com/urfave/negroni/negroni.go:46\ngithub.com/ory/hydra/vendor/github.com/urfave/negroni.HandlerFunc.ServeHTTP\n\t/go/src/github.com/ory/hydra/vendor/github.com/urfave/negroni/negroni.go:29\ngithub.com/ory/hydra/vendor/github.com/urfave/negroni.middleware.ServeHTTP\n\t/go/src/github.com/ory/hydra/vendor/github.com/urfave/negroni/negroni.go:38\ngithub.com/ory/hydra/vendor/github.com/urfave/negroni.(middleware).ServeHTTP-fm\n\t/go/src/github.com/ory/hydra/vendor/github.com/urfave/negroni/negroni.go:38\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:1947\ngithub.com/ory/hydra/cmd/server.(*Handler).rejectInsecureRequests\n\t/go/src/github.com/ory/hydra/cmd/server/handler.go:260\ngithub.com/ory/hydra/cmd/server.(*Handler).(github.com/ory/hydra/cmd/server.rejectInsecureRequests)-fm\n\t/go/src/github.com/ory/hydra/cmd/server/handler.go:58\ngithub.com/ory/hydra/vendor/github.com/urfave/negroni.HandlerFunc.ServeHTTP\n\t/go/src/github.com/ory/hydra/vendor/github.com/urfave/negroni/negroni.go:29\ngithub.com/ory/hydra/vendor/github.com/urfave/negroni.middleware.ServeHTTP\n\t/go/src/github.com/ory/hydra/vendor/github.com/urfave/negroni/negroni.go:38\ngithub.com/ory/hydra/vendor/github.com/urfave/negroni.(middleware).ServeHTTP-fm\n\t/go/src/github.com/ory/hydra/vendor/github.com/urfave/negroni/negroni.go:38\ngithub.com/ory/hydra/vendor/github.com/ory/metrics-middleware.(*MetricsManager).ServeHTTP\n\t/go/src/github.com/ory/hydra/vendor/github.com/ory/metrics-middleware/middleware.go:160\ngithub.com/ory/hydra/vendor/github.com/urfave/negroni.middleware.ServeHTTP\n\t/go/src/github.com/ory/hydra/vendor/github.com/urfave/negroni/negroni.go:38\ngithub.com/ory/hydra/vendor/github.com/urfave/negroni.(middleware).ServeHTTP-fm\n\t/go/src/github.com/ory/hydra/vendor/github.com/urfave/negroni/negroni.go:38\ngithub.com/ory/hydra/metrics/prometheus.(*MetricsManager).ServeHTTP\n\t/go/src/github.com/ory/hydra/metrics/prometheus/middleware.go:26\ngithub.com/ory/hydra/vendor/github.com/urfave/negroni.middleware.ServeHTTP\n\t/go/src/github.com/ory/hydra/vendor/github.com/urfave/negroni/negroni.go:38\ngithub.com/ory/hydra/vendor/github.com/urfave/negroni.(middleware).ServeHTTP-fm\n\t/go/src/github.com/ory/hydra/vendor/github.com/urfave/negroni/negroni.go:38\ngithub.com/ory/hydra/vendor/github.com/meatballhat/negroni-logrus.(*Middleware).ServeHTTP\n\t/go/src/github.com/ory/hydra/vendor/github.com/meatballhat/negroni-logrus/middleware.go:136\ngithub.com/ory/hydra/vendor/github.com/urfave/negroni.middleware.ServeHTTP\n\t/go/src/github.com/ory/hydra/vendor/github.com/urfave/negroni/negroni.go:38\ngithub.com/ory/hydra/vendor/github.com/urfave/negroni.(*Negroni).ServeHTTP\n\t/go/src/github.com/ory/hydra/vendor/github.com/urfave/negroni/negroni.go:96\ngithub.com/ory/hydra/vendor/github.com/rs/cors.(*Cors).Handler.func1\n\t/go/src/github.com/ory/hydra/vendor/github.com/rs/cors/cors.go:200\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:1947\ngithub.com/ory/hydra/vendor/github.com/gorilla/context.ClearHandler.func1\n\t/go/src/github.com/ory/hydra/vendor/github.com/gorilla/context/context.go:141\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:1947\nnet/http.serverHandler.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2697\nnet/http.(*conn).serve\n\t/usr/local/go/src/net/http/server.go:1830\nruntime.goexit\n\t/usr/local/go/src/runtime/asm_amd64.s:2361” writer=JSON


#2

If skip is true, remember must be false because user interaction was not required. But user authentication is still valid for consecutive requests. To remove the user session, use one of the documented APIs (in the API docs) or check the user guide


#3

ok, maybe make the fact that the ‘remember’ property MUST be false is the ‘skip’ property is true more clear in the docs?

As I mentioned above, the docs (as I read them) seem to suggest the ‘remember’ parameters value will be ignored when ‘skip’ is true, but as you indicated it isn’t ignored: you MUST either exclude it or have it set to false


#4

right, that should definitively be improved i. the docs. Can you create a PR or issue in github.com/ory/docs to track this? Thanks!