I’m just cleaning up what I’ve done in OAuth 2.0 Authorize Code Flow + PCKE + AppAuth success. Thank you! and have an issue once a user has logged in and given consent (well, for a first-class app, consent is automatic in this example).
So my flow, as per the example Login and Consent app is working correctly for the first login and auto-consent, but the second time I do it I have an issue (it’s within the session length I set in login and consent of 3600s each).
Let me explain. User logs in and a session is created in our Login and Consent App. Consent challenge comes in after this, so I have a session cookie so I know who logged in. I want to know because I set things in the access_token and id_token session data that I PUT back to Hydra.
Once I have PUT the consent, I delete the session. The next time the user comes in, Login and Consent are marked skip, so no session is created between the two in our server, so I don’t know who the user is to PUT back exactly like I did the first time.
I think I shouldn’t have to add in the session data again in the next consent acceptance if it’s marked SKIP as I don’t have it.
Make sense? What are others doing there? Whether login or consent are marked SKIP or not, we seem to have to alway supply the same data in the consent acceptance which feels wrong to me. I know the subject, but without creating an authenticated session our side again, I don’t have access to all the user info that I want.
Does it get overwritten each time?