Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The Authorization Server requires End-User consent when set the offline_access scope #8660

Closed
sdayu opened this issue Feb 23, 2024 · 4 comments · Fixed by #8731
Closed

The Authorization Server requires End-User consent when set the offline_access scope #8660

sdayu opened this issue Feb 23, 2024 · 4 comments · Fixed by #8731
Labels
question Further information is requested

Comments

@sdayu
Copy link

sdayu commented Feb 23, 2024

After updating to 2024.2.1, refresh_token required offline_access, When I set the provider scope and identified offline_access scope in the client. Authentik shown

consent_required: The Authorization Server requires End-User consent

Please, help me to solve this problem.
@sdayu sdayu added the question Further information is requested label Feb 23, 2024
@BramVandenbossche
Copy link

BramVandenbossche commented Feb 26, 2024
edited

I had the same issue with my harbor instance after upgrading from 2023.10.7 -> 2024.2.1. For me it was solved when I placed the scopes in the same order as in authentik. I first added offline_access at the end, resulting in your issue. I have it now configured as this:
image
image

@nima-karimi
Copy link

nima-karimi commented Feb 26, 2024
edited

I also have this issue with Grafana as the client (reordering the scopes did not help). The client needs to send a prompt=consent parameter when requesting offline_access scope (#), but Grafana doesn't do that.

If I manually add the prompt parameter to the auth URL in Grafana, it works and takes me to the consent page. E.g., https://auth.example.com/application/o/authorize/?prompt=consent

The error is coming from this line:

authentik/authentik/providers/oauth2/views/authorize.py

Lines 257 to 260 in 7359057

if PROMPT_CONSENT not in self.prompt:
raise AuthorizeError(
self.redirect_uri, "consent_required", self.grant_type, self.state
)

@bbaumgartl
Copy link

bbaumgartl commented Feb 27, 2024
edited

Thank you @nima-karimi this worked. A downside is that the user always gets asked for their consent because the it is not saved in the user account anymore.

PS: If i set the Authorization Flow of the Provider from implicit to explicit the consent is saved. This seems kinda counterintuitive and in my opinion makes the use of the implicit flow useless. Is this the intended behaviour?

This was referenced Feb 27, 2024
Closed
Closed
@BeryJu
Copy link
Member

BeryJu commented Feb 28, 2024

@nima-karimi I suppose there was a mistake in the interpretation of the spec there, seeing as if prompt=consent isn't set authentik is supposed to just pretend the offline_access scope wasn't requrested

@bbaumgartl The reason for this is when using a flow without a consent stage and the prompt=consent parameter is set, authentik will inject a consent stage into the flow that requires consent to always be given. If there already is such a stage in the flow (like with the default explicit authorization flow) then the OAuth provider can't change it so the settings of that stage will have higher priorty

@BeryJu BeryJu mentioned this issue Feb 28, 2024
Merged
6 tasks
@sgtaziz sgtaziz mentioned this issue Mar 4, 2024
Open
@loftux loftux mentioned this issue Mar 15, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
5 participants
@sdayu @BeryJu @BramVandenbossche @bbaumgartl @nima-karimi