Howdy. I'm trying to understand OAuth2 flow when connecting with different clients. Assume we have OAuth2 Client A, which is first-party application, where consent is automatically accepted. We have OAuth2 Client B, which is third-party application, that wants to access data from the first-party application. Everything works great with the 1st party app. When the user is logged in to the 1st party app and tries to authenticate with 3rd party app, the user has to log in again. It would make sense to me to skip login and only ask for consent for this OAuth2 client. Hydra doesn't seem to be doing that for me. How could I proceed with this?

Your consent handler should distinguish between first- and third- party clients somehow (e.g. reading client metadata) and automatically accept consent for first-party apps.

That is already working. Problem is that the client is required to log in again when he needs to authorize OAuth2 Client B, but already authorized OAuth2 Client A. It is waiting for the login, which is before consent.

Login request has

Skip

and

Subject

fields which if present allow you to skip login in login handler as well.

Basically the issue is, that our current version of frontend (web app) does not support login, when user is already logged in. When an user tries to authorize Client B, he is shown the app itself, instead of the login page. While I could have the web app configured to not redirect away from the login page even when logged in, I'm trying to understand why Hydra just won't give me

skip: true

for this use case.

What is the

prompt

value you pass to authorization endpoint? (if there is any)

Currently I do not have this value configured, but trying out

prompt=consent

did not help