I’m going crazy now for a few days and need some help. Why oh why when I accept a consent challenge after accepting a login challenge, with both marked remember true and for 3600, does the second attempt never return skip = true?
I’m not changing anything client side, but am using AppAuth and PKCE. Is it the PKCE making the consent request look difference to Hydra?
The consent remember feature is not available for public clients, only for private ones. I believe there’s even an OpenID Connect Conformity check for that, which is required to pass certification.
Yes, that is how the OpenID Connect tests demand it, even with https. At least as far I remember, it’s been a while. Happy to take another look if you point me to docs / certification that proves otherwise.
So you can skip with https which, with public clients using AppAuth (native apps on mobile), it is the preferred way, then you can fall back to custom schemes according to the docs.
If an HTTPS redirect URI is required instead of a custom scheme, the same approach (modifying your AndroidManifest.xml) is used:
<activity
android:name="net.openid.appauth.RedirectUriReceiverActivity"
tools:node="replace">
<intent-filter>
<action android:name="android.intent.action.VIEW"/>
<category android:name="android.intent.category.DEFAULT"/>
<category android:name="android.intent.category.BROWSABLE"/>
<data android:scheme="https"
android:host="app.example.com"
android:path="/oauth2redirect"/>
</intent-filter>
</activity>
HTTPS redirects can be secured by configuring the redirect URI as an app link in Android M and above. We recommend that a fallback page be configured at the same address to forward authorization responses to your app via a custom scheme, for older Android devices.
If you mean with a refresh token, yep. For me, I’m using a custom scheme and not the https one yet as discussed in that guide. Because I need session and id data in the consent reply and consent can’t be skipped (https://github.com/ory/hydra/issues/1861), I have to always ask for a fresh login.
That’s no problem though as I have a refresh token. What use cases are there for the skipping login anyway? I suppose if you’re not allowing offline access?
Is it accurate that public clients (missing a client_secret) with a non https redirect scheme can never be verified and should always prompt users for their consent?