Always getting skip as false in the consent request for android custom scheme redirect urls

[Sharad-Regoti-Unotech]

Describe the bug
I am using the android-auth-package with a public client to initial auth-flow with PKCE.
I have successfully integrated the app & I am able to get refresh, id, access token.

But every time it I get skip = false even though I have set remember to true while accepting the initial consent,
After debugging the ory code, I believe this part is the issue

I am using custom scheme redirect URLs (e.g -> com.example.com) because of that the above-mentioned code triggers & I don't get skip = true

If i use https based redirect URLs instead of custom scheme based URLs every thing works perfectly.

I think these are some related issues
#866
#2108

Reproducing the bug

Steps to reproduce the behavior:

1. Create a client on ory hydra & set the authentication method to none
2. Install the demo app provided here, (you have to change the configuration provided in this file)
3. Register a custom scheme URL in the app & ensure that the same URL is set a redirect URL while client registration

Server logs

Server configuration

Expected behavior
Ory should set skip = true for android custom scheme redirect urls

A clear and concise description of what you expected to happen.

Environment

• Version: v1.2.3, git sha hash
• Environment: Debian, Docker, ...

Additional context

Add any other context about the problem here.

[aeneasr]

This is unfortunately expected behaviour as required by the OpenID Connect Certification process. Without it, OpenID Certification would not be achieved.

The specification explains that public clients using a non-https redirect scheme have to go through consent always.

Would you maybe be open to add this to the documentation to help others avoid going down this rabbit hole? :) https://github.com/ory/hydra/blob/master/docs/docs/guides/oauth2-public-spa-mobile.mdx

[Sharad-Regoti-Unotech]

What would be the consequences if just comment out that part of the code in ory hydra as shown in the image?

[sharadregoti]

Ok, I'll update the docs.
Can you give me some pointers about what info should I add?

[aeneasr]

I think a section explaining that public clients can’t skip consent (and the reason why) would be a perfect start :)

[amaaniqbal]

@aeneasr Should I try adding a few lines about this at the end of https://github.com/ory/hydra/blob/master/docs/docs/guides/oauth2-public-spa-mobile.mdx as a part of hacktoberfest?

[amaaniqbal]

@aeneasr @vinckr @zepatrik Is this low on priority for some reason?

[aeneasr]

Please do :) Sorry, we sometimes miss notifications

[amaaniqbal]

No worries! I am working on the PR.