Test OP-prompt-none-LoggedIn does not return status on error and potentially violates rfc8252#8.6

[aeneasr]

I'm trying to perform the OP-prompt-none-LoggedIn which, in my implementation, returns an consent_required error. It returns that error because of the following:

As stated in Section 10.2 of OAuth 2.0 [RFC6749], the authorization
server SHOULD NOT process authorization requests automatically
without user consent or interaction, except when the identity of the
client can be assured. This includes the case where the user has
previously approved an authorization request for a given client id --
unless the identity of the client can be proven, the request SHOULD
be processed as if no previous request had been approved.

Measures such as claimed "https" scheme redirects MAY be accepted by
authorization servers as identity proof. Some operating systems may
offer alternative platform-specific identity features that MAY be
accepted, as appropriate.

Source: https://tools.ietf.org/html/rfc8252#section-8.6

If I'm reading this correctly, then public clients that use, for example, the implicit grant have to regain consent from the user. An exception to that rule is ("MAY") when the https scheme is set in the redirect URL.

My implementation, currently, returns an consent_required at all times. However, in the UI I can neither see a stack trace nor does the status indicate that the test ran.

Here's a screen recording of that flow:

Login is skipped in the first step as the user is authenticated already.

In the screens that follow you can clearly see that error=consent_required is returned:

But the status in the tool hasn't updated:

Maybe I'm reading the spec here incorrectly in which case I'll remove the consent_required.

Nonetheless, the UI should return a status result here even if an error occurred.

[zandbelt]

For the record, you're referring to e.g. an Implicit flow where the client is not authenticated. It seems you're right and there should be different accepted behavior for Implicit/Hybrid and Code flows since "consent_required" is an option in the spec. Currently the test suite only accepts successful authentication attempts for all response types. @selfissued and @rohe can you comment?

[aeneasr]

Thank you for the response @zandbelt , you described the issue perfectly.

[selfissued]

Returning a non-successful response for prompt=none when logged in defeats the purpose of the feature: being able to silently confirm that the end-user is logged in. The test suite is correct in verifying that the OP returns success in this case.

To be certified, the software has to implement prompt=none in the intended fashion.

[panva]

That's why the suite runs a regular authentication request first, to make sure any OP can authenticate the current session according to its policies and allow e.g. the client_id or a combination of client_id and redirect_uri for subsequent "none" silent requests to enable token renewals and "is the user still logged in" requests.