I’m going crazy now for a few days and need some help. Why oh why when I accept a consent challenge after accepting a login challenge, with both marked remember true and for 3600, does the second attempt never return skip = true?
I’m not changing anything client side, but am using AppAuth and PKCE. Is it the PKCE making the consent request look difference to Hydra?
Yes, that is how the OpenID Connect tests demand it, even with https. At least as far I remember, it’s been a while. Happy to take another look if you point me to docs / certification that proves otherwise.
If an HTTPS redirect URI is required instead of a custom scheme, the same approach (modifying your AndroidManifest.xml) is used:
HTTPS redirects can be secured by configuring the redirect URI as an app link in Android M and above. We recommend that a fallback page be configured at the same address to forward authorization responses to your app via a custom scheme, for older Android devices.
If you mean with a refresh token, yep. For me, I’m using a custom scheme and not the https one yet as discussed in that guide. Because I need session and id data in the consent reply and consent can’t be skipped (https://github.com/ory/hydra/issues/1861), I have to always ask for a fresh login.
That’s no problem though as I have a refresh token. What use cases are there for the skipping login anyway? I suppose if you’re not allowing offline access?