无法通过OASO2 / OpenID验证访问令牌在WSO2 Identity Server上使用prompt = none参数进行验证

Question

An according to OpenID Connect Core 1.0 specification , if authentication request contains parameter prompt with value none , server must process it the following way:

The Authorization Server MUST NOT display any authentication or consent user interface pages. An error is returned if an End-User is not already authenticated or the Client does not have pre-configured consent for the requested Claims or does not fulfill other conditions for processing the request. The error code will typically be login_required, interaction_required, or another code defined in Section 3.1.2.6. This can be used as a method to check for existing authentication and/or consent.

My problem is that whenever I try to validate access token received before this way (passing prompt=none pair along with other required parameters), WSO2 IS server always replies with code 302 and redirect to login page. Below is the corresponding output from following cURL command:

curl -v -k -X GET "https://localhost:9443/oauth2/authorize?prompt=none&scope=openid&client_id=BpMCycs5nBuZCpVLwSE5f6Hf5CYa&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fmy-app%2Fmy-ctx" --header "Authorization: Bearer a65544593fg9c67rbf95fc24a6953cb4"

> GET /oauth2/authorize?prompt=none&scope=openid&client_id=BpMCycs5nBuZCpVLwSE5f
6Hf5CYa&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fmy-app%2Fmy-ctx HTTP/1.1
> User-Agent: curl/7.30.0
> Host: localhost:9443
> Accept: */*
> Authorization: Bearer a65544593fg9c67rbf95fc24a6953cb4
>
< HTTP/1.1 302 Found
< Date: Thu, 14 Aug 2014 17:01:17 GMT
< Location: https://localhost:9443/commonauth/?sessionDataKey=bf5be153-4j31-429b
-9fa6-97rr27da213&type=oidc&commonAuthCallerPath=/oauth2/authorize&forceAuthent
icate=false&checkAuthentication=false&relyingParty=BpKCycd5dBfZdpVswSE5f6Hf5CYa&
tenantId=-1234&prompt%3Dnone%26scope%3Dopenid%26client_id%3DBpKCycr5dBuZCpVBwSE5
f6Hf5CYa%26response_type%3Dcode%26redirect_uri%3Dhttp%253A%252F%252Flocalhost%25
3A8080%252Fmy-app%252Fmy-ctx

Could someone tell me - it's problem in authentication request itself and I did something wrong or WSO2 IS server behaviour in this case doesn't conform to the specification?

I work with WSO2 Identity Server 5.0.0

Thanks in advance for your answers!

Answer 1

According to the spec The prompt parameter can be used by the Client to make sure that the End-User is still present for the current session or to bring attention to the request. If this parameter contains none with any other value , an error is returned.

But in this request only send none as prompt value, So prompt value is set to none with any other value it gives an error.

Example:

curl -v -k -X GET "https://localhost:9444/oauth2/authorize?prompt=none+login&scope=openid..."

Answer 2

Maybe you can use following request to validate token:

curl -k -H "Authorization: Bearer <token>" \
https://localhost:9443/oauth2/userinfo?schema=openid

It returns user info if user is authenticated. I know that this is workaround and you cannot get token expire data, but in some case can be useful. I came here with the similar problem and your question gave me idea how to solve it.