Hey all, more of a spec question than anything specific to ory, however in utilizing/implementing fosite, it's hard to miss the attention to detail for the specification that is given by the ory developers. So I figured ory will have some far more knowledgeable people than me who can answer this, and rather than clogging up GitHub issues I thought this would be a good place. My specific question is in relation to consent. From my reading of https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest (see prompt) seems to indicate that users can remember consent (see pre-configured consent) but should be prompted for consent if the prompt type is consent, and https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess explicitly states the prompt type MUST be consent if the offline_access scope is requested, however https://openid.net/specs/openid-connect-core-1_0.html#Consent indicates the consent form may be in a variety of forms.
In addition several implementations of OpenID Connect seems to allow administrators to configure this consent process to be implicit rather than explicit; which I don't think is a good measure for what you should implement, but combined with the last link it is an indication there is room for providers to decide how to handle this. Is this understanding correct? Or am I way off base?
05/02/2022, 6:55 AM
Some providers choose to skip consent in first-party scenarios. This is not fully OpenID Connect spec compliant but since it’s usually for only a specific set of clients, it does not get properly validated by the OpenID Connect certification, thus doesn’t come up during audit 😉
05/02/2022, 6:57 AM
I actually noticed that dex utilizes this mode specifically for compliance testing, but never mention it anywhere else in their docs, so that kind of makes sense now.
I'm kind of curious what your interpretation of this section here is, specifically "this MAY be done through an interactive dialogue with the End-User that makes it clear what is being consented to or by establishing consent via conditions for processing the request or other means" and "previous administrative consent":