Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(jans-auth-server): authz challenge should not require client_id and acr_values if valid device_session is provided #6867

Closed
3 tasks
yuriyz opened this issue Nov 30, 2023 · 1 comment · Fixed by #7704
Closed
3 tasks

feat(jans-auth-server): authz challenge should not require client_id and acr_values if valid device_session is provided #6867

yuriyz opened this issue Nov 30, 2023 · 1 comment · Fixed by #7704
Assignees
@yuriyz
Labels
comp-jans-auth-server Component affected by issue or PR kind-feature Issue or PR is a new feature request
Milestone
1.1.0

Comments

@yuriyz
Copy link
Contributor

yuriyz commented Nov 30, 2023

Description

We should not require client_id and acr_values if valid device_session is provided.

Motivation:
Upon referencing the First Party Native Oauth RFC, it appears that a subsequent authorization request necessitates only a prompt and the device session value, as illustrated in the attached screenshot. However, when I try to remove elements like "client_id" and "acr_values" from my Postman call, I encountered an error.

Test cases and code coverage

  • Write unit test to cover added/changed code
  • Update integration tests to cover added/changed code
  • Docs update
@yuriyz yuriyz added comp-jans-auth-server Component affected by issue or PR kind-feature Issue or PR is a new feature request labels Nov 30, 2023
@yuriyz yuriyz added this to the 1.0.21 milestone Nov 30, 2023
@yuriyz yuriyz self-assigned this Nov 30, 2023
@moabu moabu modified the milestones: 1.0.21, 1.0.22 Dec 14, 2023
@yuriyz
Copy link
Contributor Author

yuriyz commented Dec 19, 2023

Feedback:

Turns out the scope is also needed in subsequent requests. Otherwise, scope-dependent variable like id_token for example, will be missing.

Step to reproduce: 1) Perform a multi-step authz challenge (omit the scope in the subsequent steps) 2) Query token endpoint with an authorization code. --> The id_token will be missing

1) Perform a multi-step authz challenge (with scope=openid in every steps) 2) Query token endpoint with an authorization code. --> The id_token will be presented

@moabu moabu modified the milestones: 1.0.22, 1.0.23 Feb 1, 2024
yuriyz added a commit that referenced this issue Feb 13, 2024
@yuriyz
feat(jans-auth-server): authz challenge should not require client_id …
514c3da 
…and acr_values if valid device_session is provided #6867

Signed-off-by: YuriyZ <yzabrovarniy@gmail.com>
@yuriyz yuriyz mentioned this issue Feb 13, 2024
Merged
3 tasks
yuriyz added a commit that referenced this issue Feb 13, 2024
@yuriyz
feat(jans-auth-server): authz challenge should not require client_id …
76b63e5 
…and acr_values if valid device_session is provided #6867 (#7704)

Signed-off-by: YuriyZ <yzabrovarniy@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@yuriyz yuriyz

Labels
comp-jans-auth-server Component affected by issue or PR kind-feature Issue or PR is a new feature request
Projects
None yet
Milestone
1.1.0
2 participants
@yuriyz @moabu