Some providers choose to skip consent in first-party scenarios. This is not fully OpenID Connect spec compliant but since it’s usually for only a specific set of clients, it does not get properly validated by the OpenID Connect certification, thus doesn’t come up during audit 😉
p
powerful-lunch-99313
05/02/2022, 6:57 AM
I actually noticed that dex utilizes this mode specifically for compliance testing, but never mention it anywhere else in their docs, so that kind of makes sense now.
powerful-lunch-99313
05/02/2022, 7:48 AM
I'm kind of curious what your interpretation of this section here is, specifically "this MAY be done through an interactive dialogue with the End-User that makes it clear what is being consented to or by establishing consent via conditions for processing the request or other means" and "previous administrative consent":
https://openid.net/specs/openid-connect-core-1_0.html#Consent