使用 oauth2 进行静默身份验证（提示 = 无）

Question

Hi I have SPA(Single page application) where I use oauth2 implicit grant for authorization. As Identity server I have Wso2 identity server 5.4.1.

I am able to authorize the app and everything works as desired - also I configured to skip the consent.

Here goes the problem: I am trying to silently reauthenticate logged user with following link with help of .../oauth2/authorize service and attribute prompt=none:

https://xxx:9447/oauth2/authorize?response_type=id_token token&nonce=123&prompt=none&client_id=xxxx&scope=openid&redirect_uri=http://localhost:63342/myapp/www/index.html&id_token_hint=previous_user_token

With promp=none as written here:

http://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint I should be able to authenticate user when he is logged and the consent is configured to be skipped or always approve.

But I always get the same error back in URI:

http://localhost:63342/myapp/www/index.html#error_description=Authentication+required&error=login_required&session_state=state124124125125.1251512

Answer 1

This error login_required means that your user is not logged in on the IP. You must first ask him to connect by redirecting it to the authorization endpoint without the prompt parameter set to none.

See : http://openid.net/specs/openid-connect-core-1_0.html#AuthError

login_required The Authorization Server requires End-User authentication. This error MAY be returned when the prompt parameter value in the Authentication Request is none, but the Authentication Request cannot be completed without displaying a user interface for End-User authentication.

According to the documentation, it seems that the user must choose the option on the consent page: Approve Always. Have you tested with this option?

Docs: https://docs.wso2.com/display/IS530/Basic+Client+Profile+with+Playground

Click Approve to provide consent to this action. The screen mentions the service provider by name and requests for user consent to provide user information to that particular service provider. The user can either Deny to provide information to the service provider. Approve to provide user profile information to this service provider only for this time.

Approve Always to provide approval to share user profile information with the service provider even in the future without prompting for consent again.