Reputation: 362
Silent authentification with oauth2 (prompt=none)
Hi I have SPA(Single page application) where I use oauth2 implicit grant for authorization. As Identity server I have Wso2 identity server 5.4.1.
I am able to authorize the app and everything works as desired - also I configured to skip the consent.
Here goes the problem: I am trying to silently reauthenticate logged user with following link with help of .../oauth2/authorize service and attribute prompt=none:
https://xxx:9447/oauth2/authorize?response_type=id_token token&nonce=123&prompt=none&client_id=xxxx&scope=openid&redirect_uri=http://localhost:63342/myapp/www/index.html&id_token_hint=previous_user_token
With promp=none as written here:
http://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint I should be able to authenticate user when he is logged and the consent is configured to be skipped or always approve.
But I always get the same error back in URI:
http://localhost:63342/myapp/www/index.html#error_description=Authentication+required&error=login_required&session_state=state124124125125.1251512
Upvotes: 3
Views: 13535
Answers (1)
Reputation: 817
This error login_required means that your user is not logged in on the IP. You must first ask him to connect by redirecting it to the authorization endpoint without the prompt parameter set to none.
See : http://openid.net/specs/openid-connect-core-1_0.html#AuthError
login_required The Authorization Server requires End-User authentication. This error MAY be returned when the prompt parameter value in the Authentication Request is none, but the Authentication Request cannot be completed without displaying a user interface for End-User authentication.
According to the documentation, it seems that the user must choose the option on the consent page: Approve Always. Have you tested with this option?
Docs: https://docs.wso2.com/display/IS530/Basic+Client+Profile+with+Playground
Click Approve to provide consent to this action. The screen mentions the service provider by name and requests for user consent to provide user information to that particular service provider. The user can either Deny to provide information to the service provider. Approve to provide user profile information to this service provider only for this time.
Approve Always to provide approval to share user profile information with the service provider even in the future without prompting for consent again.
Upvotes: 2
Related Questions
- WSO2 Api Manager - bypass sign in page when invoking API (oauth2 authorization grant code)
- wso2 api manager, optional authentication (v1.9)
- wso2am - disable oauth consent form
- Can't validate access token via OAuth2/OpenID Connect with prompt=none parameter on WSO2 Identity Server
- Validating OAuth2 token in WSO2
- Disable consent in oauth2 implicit grant type
- How to setup WSO2 Identitiy Server to skip authentication challenge page on OAuth2?
- HTTP requests for WSO2 Identity Server user authentication
- Creating OAuth2 service provider without UI
- Enabling OAuth 2.0 authentication for REST services using WSO2 Identity Server as Authorization server