Skip never true after accepting the first consent challenge with remember=true

ghenry · May 20, 2020, 9:08pm

Hi all,

I’m going crazy now for a few days and need some help. Why oh why when I accept a consent challenge after accepting a login challenge, with both marked remember true and for 3600, does the second attempt never return skip = true?

I’m not changing anything client side, but am using AppAuth and PKCE. Is it the PKCE making the consent request look difference to Hydra?

Thanks.

ghenry · May 20, 2020, 9:15pm

I think this may be the case as PKCE isn’t a clear cut as a client id with a client secret?

github.com

ory/hydra/blob/master/consent/strategy_default.go#L474


	prompt := stringsx.Splitx(ar.GetRequestForm().Get("prompt"), " ")
	if stringslice.Has(prompt, "consent") {
		return s.forwardConsentRequest(w, r, ar, authenticationSession, nil)
	}

	// https://tools.ietf.org/html/rfc6749
	//
	// As stated in Section 10.2 of OAuth 2.0 [RFC6749], the authorization
	// server SHOULD NOT process authorization requests automatically
	// without user consent or interaction, except when the identity of the
	// client can be assured.  This includes the case where the user has
	// previously approved an authorization request for a given client id --
	// unless the identity of the client can be proven, the request SHOULD
	// be processed as if no previous request had been approved.
	//
	// Measures such as claimed "https" scheme redirects MAY be accepted by
	// authorization servers as identity proof.  Some operating systems may
	// offer alternative platform-specific identity features that MAY be
	// accepted, as appropriate.
	if ar.GetClient().IsPublic() {
		// The OpenID Connect Test Tool fails if this returns `consent_required` when `prompt=none` is used.

ghenry · May 20, 2020, 9:34pm

I’ll check this SQL:

github.com

ory/hydra/blob/5661ec3ba57fe3a3d86dc4bddc963c1da07101d3/consent/manager_sql.go#L415


}

func (m *SQLManager) DeleteLoginSession(ctx context.Context, id string) error {
	if _, err := m.DB.ExecContext(ctx, m.DB.Rebind("DELETE FROM hydra_oauth2_authentication_session WHERE id=?"), id); err != nil {
		return sqlcon.HandleError(err)
	}

	return nil
}

func (m *SQLManager) FindGrantedAndRememberedConsentRequests(ctx context.Context, client, subject string) ([]HandledConsentRequest, error) {
	var a []HandledConsentRequest

	if err := m.DB.SelectContext(ctx, &a, m.DB.Rebind(`SELECT h.* FROM
	hydra_oauth2_consent_request_handled as h
JOIN
	hydra_oauth2_consent_request as r ON (h.challenge = r.challenge)
WHERE
		r.subject=? AND r.client_id=? AND r.skip=FALSE
	AND
		(h.error='{}' AND h.remember=TRUE)

ghenry · May 20, 2020, 9:49pm

So running this by hand inside the docker pg container putting my subject and native app client_id in the SQL placeholders returns this:

-[ RECORD 1 ]--------+----------------------------------------------------------------------------------------------------------------
challenge            | 99fc2131ef4b4d149b13c7ab2be93782
granted_scope        | openid|offline
remember             | t
remember_for         | 3600
error                | {}
requested_at         | 2020-05-20 13:19:07.036145
session_access_token | {"realm":"testing"}
session_id_token     | {"email":"[email protected]","fullname":"Gavin Henry","name":"Gavin","surname":"Henry","username":"gavinhenry"}
authenticated_at     | 
was_used             | t
granted_at_audience  | 
handled_at           | 2020-05-20 13:19:29.13488

so any ideas why I get asked for consent again within the 3600 secs @hackerman

Thanks.

hackerman · May 22, 2020, 12:45pm

What version are you running?

ghenry · May 22, 2020, 1:04pm

5661ec3b / master running a modified quickstart.yml from the 5 min demo.

hackerman · May 22, 2020, 3:30pm

Oh I get it now - you’re using a public client without a secret?

ghenry · May 22, 2020, 4:57pm

That’s right. Using AppAuth with PKCE and code challenge hashes etc

hackerman · May 23, 2020, 2:26pm

The consent remember feature is not available for public clients, only for private ones. I believe there’s even an OpenID Connect Conformity check for that, which is required to pass certification.

hackerman · May 23, 2020, 3:38pm

Yup, this is documented at that specific code line:

We should definitely document this though. Maybe in the advanced section on public clients?

ghenry · May 23, 2020, 3:47pm

This sentence is hard to grok If the public client sends prompt=none and Hydra returns consent_required ???

Bottom line is consent can never be skipped on a public client, i.e. just a client id and no secret (PKCE used too)?

Reading more into the comments there, should “authentication” be skipped either on a public client?

Just below that comment, if the scheme is https, consent can be skipped?

If an HTTPS redirect URI is required instead of a custom scheme, the same approach (modifying your AndroidManifest.xml) is used:

github.com

openid/AppAuth-Android/blob/master/README.md

![AppAuth for Android](https://rawgit.com/openid/AppAuth-Android/master/appauth_lockup.svg)

[![Download](https://api.bintray.com/packages/openid/net.openid/appauth/images/download.svg) ](https://bintray.com/openid/net.openid/appauth/_latestVersion)
[![Javadocs](http://javadoc.io/badge/net.openid/appauth.svg)](http://javadoc.io/doc/net.openid/appauth)
[![Build Status](https://travis-ci.org/openid/AppAuth-Android.svg?branch=master)](https://travis-ci.org/openid/AppAuth-Android)
[![Codacy Badge](https://api.codacy.com/project/badge/grade/321412eec811478085ec6c4c923ad8a1)](https://www.codacy.com/app/iainmcgin/AppAuth-Android)
[![codecov.io](https://codecov.io/github/openid/AppAuth-Android/coverage.svg?branch=master)](https://codecov.io/github/openid/AppAuth-Android?branch=master)

AppAuth for Android is a client SDK for communicating with
[OAuth 2.0](https://tools.ietf.org/html/rfc6749) and
[OpenID Connect](http://openid.net/specs/openid-connect-core-1_0.html) providers.
It strives to
directly map the requests and responses of those specifications, while following
the idiomatic style of the implementation language. In addition to mapping the
raw protocol flows, convenience methods are available to assist with common
tasks like performing an action with fresh tokens.

The library follows the best practices set out in
[RFC 8252 - OAuth 2.0 for Native Apps](https://tools.ietf.org/html/rfc8252),
including using

This file has been truncated. show original

Re docs, yes, in the Login and Consent Flow documentation and advanced. Anywhere that mentions skip=true really

Thanks.

hackerman · May 23, 2020, 5:23pm

Yes, that is how the OpenID Connect tests demand it, even with https. At least as far I remember, it’s been a while. Happy to take another look if you point me to docs / certification that proves otherwise.

hackerman · May 23, 2020, 5:26pm

Sorry, scrap the https comment - for https this is not the case.

hackerman · May 23, 2020, 5:29pm

I’m guessing you’re using a custom redirect scheme for your app?

ghenry · May 23, 2020, 6:27pm

So you can skip with https which, with public clients using AppAuth (native apps on mobile), it is the preferred way, then you can fall back to custom schemes according to the docs.

ghenry · May 23, 2020, 6:28pm

Yeah, that’s what AppAuth needs. It can be https though, as per the examples I linked to before.

ghenry · May 23, 2020, 6:30pm

github.com

openid/AppAuth-Android/blob/master/README.md

![AppAuth for Android](https://rawgit.com/openid/AppAuth-Android/master/appauth_lockup.svg)

[![Download](https://api.bintray.com/packages/openid/net.openid/appauth/images/download.svg) ](https://bintray.com/openid/net.openid/appauth/_latestVersion)
[![Javadocs](http://javadoc.io/badge/net.openid/appauth.svg)](http://javadoc.io/doc/net.openid/appauth)
[![Build Status](https://travis-ci.org/openid/AppAuth-Android.svg?branch=master)](https://travis-ci.org/openid/AppAuth-Android)
[![Codacy Badge](https://api.codacy.com/project/badge/grade/321412eec811478085ec6c4c923ad8a1)](https://www.codacy.com/app/iainmcgin/AppAuth-Android)
[![codecov.io](https://codecov.io/github/openid/AppAuth-Android/coverage.svg?branch=master)](https://codecov.io/github/openid/AppAuth-Android?branch=master)

AppAuth for Android is a client SDK for communicating with
[OAuth 2.0](https://tools.ietf.org/html/rfc6749) and
[OpenID Connect](http://openid.net/specs/openid-connect-core-1_0.html) providers.
It strives to
directly map the requests and responses of those specifications, while following
the idiomatic style of the implementation language. In addition to mapping the
raw protocol flows, convenience methods are available to assist with common
tasks like performing an action with fresh tokens.

The library follows the best practices set out in
[RFC 8252 - OAuth 2.0 for Native Apps](https://tools.ietf.org/html/rfc8252),
including using

This file has been truncated. show original

If an HTTPS redirect URI is required instead of a custom scheme, the same approach (modifying your AndroidManifest.xml) is used:

<activity
        android:name="net.openid.appauth.RedirectUriReceiverActivity"
        tools:node="replace">
    <intent-filter>
        <action android:name="android.intent.action.VIEW"/>
        <category android:name="android.intent.category.DEFAULT"/>
        <category android:name="android.intent.category.BROWSABLE"/>
        <data android:scheme="https"
              android:host="app.example.com"
              android:path="/oauth2redirect"/>
    </intent-filter>
</activity>

HTTPS redirects can be secured by configuring the redirect URI as an app link in Android M and above. We recommend that a fallback page be configured at the same address to forward authorization responses to your app via a custom scheme, for older Android devices.

hackerman · May 24, 2020, 8:19am

Ok, so then silent refresh works with that workaround? Is there another issue or is that the solution

ghenry · May 24, 2020, 8:39am

If you mean with a refresh token, yep. For me, I’m using a custom scheme and not the https one yet as discussed in that guide. Because I need session and id data in the consent reply and consent can’t be skipped (https://github.com/ory/hydra/issues/1861), I have to always ask for a fresh login.

That’s no problem though as I have a refresh token. What use cases are there for the skipping login anyway? I suppose if you’re not allowing offline access?

Thanks.

cburmeister · June 9, 2020, 4:23pm

Is it accurate that public clients (missing a client_secret) with a non https redirect scheme can never be verified and should always prompt users for their consent?