search

jazzband / django-oauth-toolkit

OAuth2 goodies for the Djangonauts!
https://django-oauth-toolkit.readthedocs.io
Other
3.11k stars 789 forks source link

How Consent Form is Working? #1441

Open johnnyAnd opened 1 month ago

johnnyAnd commented 1 month ago

I have the following set in my settings.py

OAUTH2_PROVIDER = {
    'ACCESS_TOKEN_EXPIRE_SECONDS': 36000,
    'AUTHORIZATION_CODE_EXPIRE_SECONDS': 600,
    # 'OAUTH2_BACKEND_CLASS': 'oauth2_provider.oauth2_backends.JSONOAuthLibCore',
    'SCOPES': {
        'read': 'Read scope',
        'write': 'Write scope',
    },
    'PKCE_REQUIRED': False,  # Ensure PKCE is required as per security best practices
}

But I don't see the Authorize Consent Form every time I try to Log in via OAuth. What is the exact thing in the Database of Cache that is stopping the consent form from appearing again? I want to show the consent form for Authorization, each time the user log in via OAuth.

n2ygk commented 1 month ago

It’s probably in a browser cookie

On Thu, Jul 25, 2024 at 2:56 AM Johnny @.***> wrote:

I have the following set in my settings.py

OAUTH2_PROVIDER = { 'ACCESS_TOKEN_EXPIRE_SECONDS': 36000, 'AUTHORIZATION_CODE_EXPIRE_SECONDS': 600,

'OAUTH2_BACKEND_CLASS': 'oauth2_provider.oauth2_backends.JSONOAuthLibCore',

'SCOPES': {
    'read': 'Read scope',
    'write': 'Write scope',
},
'PKCE_REQUIRED': False,  # Ensure PKCE is required as per security best practices

}

But I don't see the Authorize Consent Form every time I try to Log in via OAuth. What is the exact thing in the Database of Cache that is stopping the consent form from appearing again? I want to show the consent form for Authorization, each time the user log in via OAuth.

— Reply to this email directly, view it on GitHub https://github.com/jazzband/django-oauth-toolkit/issues/1441, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABBHS5ZQI5RWAM4UCEVJEI3ZOCOTJAVCNFSM6AAAAABLN4TYASVHI2DSMVQWIX3LMV43ASLTON2WKOZSGQZDSMJXHE2TQMI . You are receiving this because you are subscribed to this thread.Message ID: @.***>

jaap3 commented 1 week ago

There is a setting REQUEST_APPROVAL_PROMPT, which controls when the consent screen is displayed. Setting this to 'force' will always show the consent screen.

The default is 'auto', meaning DOT will check if there is an active (non-expired) token for request.user with the same client and overlapping scopes as the current authorization request. If such a token exists, consent is automatically granted.

This means that, if the token isn't refreshed, the consent screen wil reappear after ACCESS_TOKEN_EXPIRE_SECONDS (default: 36000, or 10 hours).

jaap3 commented 1 week ago

It seems that you can also use the approval_prompt request parameter (which doesn't seem to be part of the spec).

I'm not sure if DOT supports the prompt=consent which is part of the spec: https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest

jaap3 commented 1 week ago

Turns out REQUEST_APPROVAL_PROMPT defaults to 'force', so now I don't know what to think:

https://github.com/jazzband/django-oauth-toolkit/blob/34912ff53d948831cf4d86f210290b06c04e4d09/oauth2_provider/settings.py#L70