How Consent Form is Working?

[johnnyAnd]

I have the following set in my settings.py

OAUTH2_PROVIDER = {
    'ACCESS_TOKEN_EXPIRE_SECONDS': 36000,
    'AUTHORIZATION_CODE_EXPIRE_SECONDS': 600,
    # 'OAUTH2_BACKEND_CLASS': 'oauth2_provider.oauth2_backends.JSONOAuthLibCore',
    'SCOPES': {
        'read': 'Read scope',
        'write': 'Write scope',
    },
    'PKCE_REQUIRED': False,  # Ensure PKCE is required as per security best practices
}

But I don't see the Authorize Consent Form every time I try to Log in via OAuth. What is the exact thing in the Database of Cache that is stopping the consent form from appearing again? I want to show the consent form for Authorization, each time the user log in via OAuth.

[n2ygk]

It’s probably in a browser cookie

…

On Thu, Jul 25, 2024 at 2:56 AM Johnny ***@***.***> wrote: I have the following set in my settings.py OAUTH2_PROVIDER = { 'ACCESS_TOKEN_EXPIRE_SECONDS': 36000, 'AUTHORIZATION_CODE_EXPIRE_SECONDS': 600, # 'OAUTH2_BACKEND_CLASS': 'oauth2_provider.oauth2_backends.JSONOAuthLibCore', 'SCOPES': { 'read': 'Read scope', 'write': 'Write scope', }, 'PKCE_REQUIRED': False, # Ensure PKCE is required as per security best practices } But I don't see the Authorize Consent Form every time I try to Log in via OAuth. What is the exact thing in the Database of Cache that is stopping the consent form from appearing again? I want to show the consent form for Authorization, each time the user log in via OAuth. — Reply to this email directly, view it on GitHub <#1441>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABBHS5ZQI5RWAM4UCEVJEI3ZOCOTJAVCNFSM6AAAAABLN4TYASVHI2DSMVQWIX3LMV43ASLTON2WKOZSGQZDSMJXHE2TQMI> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[jaap3]

There is a setting REQUEST_APPROVAL_PROMPT, which controls when the consent screen is displayed. Setting this to 'force' will always show the consent screen.

The default is 'auto', meaning DOT will check if there is an active (non-expired) token for request.user with the same client and overlapping scopes as the current authorization request. If such a token exists, consent is automatically granted.

This means that, if the token isn't refreshed, the consent screen wil reappear after ACCESS_TOKEN_EXPIRE_SECONDS (default: 36000, or 10 hours).

[jaap3]

It seems that you can also use the approval_prompt request parameter (which doesn't seem to be part of the spec).

I'm not sure if DOT supports the prompt=consent which is part of the spec: https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest

[jaap3]

Turns out REQUEST_APPROVAL_PROMPT defaults to 'force', so now I don't know what to think:

https://github.com/jazzband/django-oauth-toolkit/blob/34912ff53d948831cf4d86f210290b06c04e4d09/oauth2_provider/settings.py#L70

[dopry]

@johnnyAnd the specs dont' always require the consent form to be displayed. If you think you are experiencing a bug opn a new issue with the details to reproduce it and hopefully someone will take the time to confirm and fix it.