New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

oauth2: Adds ability to detect previous consent #720

Closed
wants to merge 13 commits into
base: master
from

Conversation

Projects
None yet
1 participant
@aeneasr
Member

aeneasr commented Dec 16, 2017

This commit aims at improving OpenID Connect conformity whilst making it
as easy as possible to implement the consent app.

For that reason, ORY Hydra is now capable of remembering user sessions
and previous consent requests, and properly handles OpenID Connect's
maxAge and prompt parameters.

Additionally, public OAuth 2.0 clients always require the full consent
flow.

  • Closes #692
  • Closes #697
  • Consent session sign out
  • #304
  • Check that, if user id from cookie mismatches with user id from consent request, either an error is thrown or the user from the consent request is used
oauth2: Adds ability to detect previous consent
This commit aims at improving OpenID Connect conformity whilst making it
as easy as possible to implement the consent app.

For that reason, ORY Hydra is now capable of remembering user sessions
and previous consent requests, and properly handles OpenID Connect's
maxAge and prompt parameters.

Additionally, public OAuth 2.0 clients always require the full consent
flow.

Closes #692
Closes #697

@aeneasr aeneasr added this to the 0.11.0 milestone Dec 16, 2017

@aeneasr aeneasr self-assigned this Dec 16, 2017

aeneasr added some commits Dec 16, 2017

@aeneasr aeneasr modified the milestones: 0.12.0, 1.0.0-alpha1 Jan 15, 2018

@aeneasr

This comment has been minimized.

Member

aeneasr commented Feb 5, 2018

There are multiple things which need to be addressed:

  • Being able to revoke a subjects's (user + oauth2 client) all access + refresh tokens
  • Being able to revoke access of a specific application (oa2 client) for a user
  • Being able to destroy a user's session with regards to the consent flow

Let's take a closer look at the options.

Destroying previous consent session

I think this one's pretty easy. We could add something like DELETE /consent/requests?subject=<subject>[&client=<client>] which would delete all previous consent sessions, thus requiring the user to re-authenticate.

This could probably also revoke the access & refresh tokens that were issued with that request.

User logout

This would only destroy the user cookie but not revoke any tokens. Maybe along the lines of /oauth2/destroy-session?

aeneasr added some commits Feb 5, 2018

Merge remote-tracking branch 'origin/master' into consent-improvemenets
# Conflicts:
#	Gopkg.lock
#	Gopkg.toml
#	cmd/root_test.go
#	docs/api.swagger.json
#	oauth2/consent_strategy.go
#	oauth2/consent_test.go
Merge remote-tracking branch 'origin/master' into consent-improvemenets
# Conflicts:
#	oauth2/fosite_store_memory.go
#	oauth2/handler_test.go

@aeneasr aeneasr referenced this pull request Feb 8, 2018

Closed

oauth2: Improving the consent flow design #772

0 of 6 tasks complete
@aeneasr

This comment has been minimized.

Member

aeneasr commented May 20, 2018

This has been solved by another PR

@aeneasr aeneasr closed this May 20, 2018

@aeneasr aeneasr deleted the consent-improvemenets branch Jun 3, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment