Do you want to request a feature or report a bug?
Bug, I believe.
What is the current behavior?
I'm trying to set up silent refresh using Hydra, hydra-login-consent-node, and oidc-client-js's sample vanilla js app. I log in and allow access, checking "remember me" for both. At this point if I try to get a new token, I am able to skip both login and consent. However, if I try to use prompt=none, the login part succeeds, but instead of the auth endpoint redirecting to the consent page, I get redirected back to the app with an error: "The Authorization Server requires End-User consent" and "OAuth 2.0 Client is marked public and requires end-user consent but "prompt=none" was requested".
What is the expected behavior?
If consent is already remembered, I would expect to be able to proceed through the process and get a new token. The spec says "[consent_required] MAY be returned when the prompt parameter value in the Authentication Request is none, but the Authentication Request cannot be completed without displaying a user interface for End-User consent". But in this case, the consent challenge would return {"skip": true}, so I don't think there's any need to display a user interface.
Which version of the software is affected?
Beta 9.
Do you want to request a feature or report a bug?
Bug, I believe.
What is the current behavior?
I'm trying to set up silent refresh using Hydra, hydra-login-consent-node, and oidc-client-js's sample vanilla js app. I log in and allow access, checking "remember me" for both. At this point if I try to get a new token, I am able to skip both login and consent. However, if I try to use prompt=none, the login part succeeds, but instead of the auth endpoint redirecting to the consent page, I get redirected back to the app with an error: "The Authorization Server requires End-User consent" and "OAuth 2.0 Client is marked public and requires end-user consent but "prompt=none" was requested".
What is the expected behavior?
If consent is already remembered, I would expect to be able to proceed through the process and get a new token. The spec says "[consent_required] MAY be returned when the prompt parameter value in the Authentication Request is
none, but the Authentication Request cannot be completed without displaying a user interface for End-User consent". But in this case, the consent challenge would return{"skip": true}, so I don't think there's any need to display a user interface.Which version of the software is affected?
Beta 9.