Silent token refresh fails with "The Authorization Server requires End-User consent"

[pvsr]

Do you want to request a feature or report a bug?
Bug, I believe.

What is the current behavior?
I'm trying to set up silent refresh using Hydra, hydra-login-consent-node, and oidc-client-js's sample vanilla js app. I log in and allow access, checking "remember me" for both. At this point if I try to get a new token, I am able to skip both login and consent. However, if I try to use prompt=none, the login part succeeds, but instead of the auth endpoint redirecting to the consent page, I get redirected back to the app with an error: "The Authorization Server requires End-User consent" and "OAuth 2.0 Client is marked public and requires end-user consent but "prompt=none" was requested".

What is the expected behavior?
If consent is already remembered, I would expect to be able to proceed through the process and get a new token. The spec says "[consent_required] MAY be returned when the prompt parameter value in the Authentication Request is none, but the Authentication Request cannot be completed without displaying a user interface for End-User consent". But in this case, the consent challenge would return {"skip": true}, so I don't think there's any need to display a user interface.

Which version of the software is affected?
Beta 9.

[aeneasr]

This is most likely a bug in your login & consent logic or your auth flow. Maybe you're requesting other permissions or forgot to properly accept the consent part. Silent refresh is supported and tested and certified by the OpenID Foundation.

[bretep]

@pvsr Did you figure this out?

I'm having the same issue.

Request:

redirect_uri=https://app.example.com/silent_renew
response_type=token id_token
scope=offline openid paffl
state=18734f28648749ae9288695a60288ec5
nonce=1c5e8178aa1845399e61ec0adc8e4f81
prompt=none
id_token_hint=eyJhbGciOiJSUzI1NiIsImtpZCI6InB1YmxpYzpjNmM0MDc3ZC01ZDU4LTRlNjItYTExNi0xNW....<REMOVED FOR BREVITY>...KUR0RlMG-ans-dI-XRljAe6RTIadjW6YwPsH8lIxdpgclFXt4t450RbuOry-wftFEOXfRpz60JJ1VFtWQiKPMiNEndsaUiFYMS9tQ496vwpIkST7CZ0pMGs2HudevANdMa___nHfPQHD4HWZjy60gKwXn3bxl1buRXaIyPh5YGbzjBuB4k5pmFr5Yg3UU3onsDKa2tbJclCLXieLAiGPLTXDsP6hxWPRjVm86_spNDuGOv-u_2j8Bkq5VHmWTVLgDFrkFTxGq0HnKTBPMzq0skG1nVGr_6KYL9gloO-C_UG320zuXiD8FO8HShEQypq02i4
acr_values=oauth2"

Hydra error:

INFO[1026] started handling request                      method=GET remote=<PUBLIC_IP> request=/.well-known/openid-configuration
INFO[1026] completed handling request                    measure#https://account.example.com.latency=199562 method=GET remote=<PUBLIC_IP> request=/.well-known/openid-configuration status=200 text_status=OK took="199.562µs"
INFO[1026] started handling request                      method=GET remote=<PUBLIC_IP> request="/oauth2/auth?client_id=a-ffl-dev&redirect_uri=https%3A%2F%2Fapp.example.com%2Fsilent_renew&response_type=token%20id_token&scope=offline%20openid%20paffl&state=18734f28648749ae9288695a
60288ec5&nonce=1c5e8178aa1845399e61ec0adc8e4f81&prompt=none&id_token_hint=eyJhbGciOiJSUzI1NiIsImtpZCI6In....<REMOVED FOR BREVITY>...OXfRpz60JJ1VFtWQiKPMiNEndsaUiFYMS9tQ496vwpIkST7CZ0pMGs2HudevANdMa___nHfPQHD4HWZjy60gKwXn3bxl1buRXaIyPh5YGbzjBuB4k5pmFr5Yg3UU3onsDKa2tbJclCLXieLAi
GPLTXDsP6hxWPRjVm86_spNDuGOv-u_2j8Bkq5VHmWTVLgDFrkFTxGq0HnKTBPMzq0skG1nVGr_6KYL9gloO-C_UG320zuXiD8FO8HShEQypq02i4&acr_values=oauth2"
ERRO[1026] An error occurred                             debug="Prompt \"none\" was requested, but no existing login session was found" description="The Authorization Server requires End-User authentication" error=login_required
DEBU[1026] Stack trace:
github.com/ory/hydra/consent.(*DefaultStrategy).forwardAuthenticationRequest
        /go/src/github.com/ory/hydra/consent/strategy_default.go:192
github.com/ory/hydra/consent.(*DefaultStrategy).requestAuthentication
        /go/src/github.com/ory/hydra/consent/strategy_default.go:118
github.com/ory/hydra/consent.(*DefaultStrategy).HandleOAuth2AuthorizationRequest
        /go/src/github.com/ory/hydra/consent/strategy_default.go:602
github.com/ory/hydra/oauth2.(*Handler).AuthHandler
        /go/src/github.com/ory/hydra/oauth2/handler.go:610
github.com/ory/hydra/oauth2.(*Handler).AuthHandler-fm
        /go/src/github.com/ory/hydra/oauth2/handler.go:173
github.com/julienschmidt/httprouter.(*Router).ServeHTTP
        /go/pkg/mod/github.com/julienschmidt/[email protected]/router.go:334
github.com/urfave/negroni.Wrap.func1
        /go/pkg/mod/github.com/urfave/[email protected]/negroni.go:46
github.com/urfave/negroni.HandlerFunc.ServeHTTP
        /go/pkg/mod/github.com/urfave/[email protected]/negroni.go:29
github.com/urfave/negroni.middleware.ServeHTTP
        /go/pkg/mod/github.com/urfave/[email protected]/negroni.go:38
github.com/urfave/negroni.middleware.ServeHTTP-fm
        /go/pkg/mod/github.com/urfave/[email protected]/negroni.go:38
net/http.HandlerFunc.ServeHTTP
        /usr/local/go/src/net/http/server.go:1964
github.com/ory/hydra/cmd/server.(*Handler).RejectInsecureRequests
        /go/src/github.com/ory/hydra/cmd/server/handler.go:297
github.com/ory/hydra/cmd/server.(*Handler).RejectInsecureRequests-fm
        /go/src/github.com/ory/hydra/cmd/server/handler.go:62
github.com/urfave/negroni.HandlerFunc.ServeHTTP
        /go/pkg/mod/github.com/urfave/[email protected]/negroni.go:29
github.com/urfave/negroni.middleware.ServeHTTP
        /go/pkg/mod/github.com/urfave/[email protected]/negroni.go:38
github.com/urfave/negroni.middleware.ServeHTTP-fm
        /go/pkg/mod/github.com/urfave/[email protected]/negroni.go:38
github.com/ory/hydra/metrics/prometheus.(*MetricsManager).ServeHTTP
        /go/src/github.com/ory/hydra/metrics/prometheus/middleware.go:26
github.com/urfave/negroni.middleware.ServeHTTP
        /go/pkg/mod/github.com/urfave/[email protected]/negroni.go:38
github.com/urfave/negroni.middleware.ServeHTTP-fm
        /go/pkg/mod/github.com/urfave/[email protected]/negroni.go:38
github.com/meatballhat/negroni-logrus.(*Middleware).ServeHTTP
        /go/pkg/mod/github.com/meatballhat/[email protected]/middleware.go:136
github.com/urfave/negroni.middleware.ServeHTTP
        /go/pkg/mod/github.com/urfave/[email protected]/negroni.go:38
github.com/urfave/negroni.(*Negroni).ServeHTTP
        /go/pkg/mod/github.com/urfave/[email protected]/negroni.go:96
github.com/gorilla/context.ClearHandler.func1
        /go/pkg/mod/github.com/gorilla/[email protected]/context.go:141
net/http.HandlerFunc.ServeHTTP
        /usr/local/go/src/net/http/server.go:1964
net/http.serverHandler.ServeHTTP
        /usr/local/go/src/net/http/server.go:2741
net/http.(*conn).serve
        /usr/local/go/src/net/http/server.go:1847
runtime.goexit
        /usr/local/go/src/runtime/asm_amd64.s:1333```

[bretep]

My client config:

{
	"client_id": "a-ffl-dev",
	"grant_types": [
		"refresh_token",
		"authorization_code",
		"implicit",
		"password"
	],
	"jwks": {},
	"redirect_uris": [
		"https://app.example.com/callback",
		"https://app.example.com/silent_renew"
	],
	"response_types": [
		"token",
		"code",
		"id_token",
		"token id_token"
	],
	"scope": "profile openid offline offline_access paffl",
	"subject_type": "public",
	"token_endpoint_auth_method": "client_secret_basic",
	"userinfo_signed_response_alg": "none"
}

[Zensey]

I was experiencing the same problem.
For me it was solved after adding Remember=true value into consent accept request:

       consent.HandledConsentRequest{
		GrantedScope: grantedScopes,
		Session:      &consent.ConsentRequestSessionData{},
		Remember:     true,
		RememberFor:  3600,
	}