How to ask for permission just once

[ajibarra]

Hi,

I am implementing an OAuth server using the plugin but I am not sure how to avoid asking for perms each time the user logs in..

I am not sure if this is a client issue or a server issue but I want to simulate the following workflow:

• User clicks 'Login with my own server'
• Browser goes to ownserver and asks for credentials
• User enters credentials and system asks to approve/deny client
• User approves client and system redirects to redirectURI
• Client gets auth code and requires access_token, etc
• User logs out from client

Now:

• User clicks 'Login with my own server'
• Browser goes to ownserver and asks for credentials
• User enters credentials and system asks to approve/deny client again which is wrong because it should know the user have already authorized the client.

The thing is that from server perspective the client is asking for an auth code so I dont know if we should detect the client/owner and redirect automatically without asking OR on the other hand the client should not ask for an auth code but the thing is the client does not know anything about the owner/user because you are not logged in, you are just clicking Log in with my own server.

Please let me know if you need that I clarify something.

Thanks

[ajibarra]

Nobody?

[dakota]

Hi @ajibarra, if you are using an authorisation code grant (The default I believe) then you shouldn't be taking the user to the credentials page again since you've already authorised them. Rather you should just use the access token that you've previously received.

Currently the plugin does not check if the client/user combination has already been approved, so it will always ask again. A PR to change that behaviour would of course be welcome :)

[ajibarra]

Yeah, I understand the flow with the access token.. The only issue with that is the client is not aware about the user (or token) because the user is just logging in.

So now my question is..it is pretty easy to check client/user combination. But the client is expecting an authorization code. If we detect the client/user combination has already been approved, what should we return? Should we generate a new authorization code and return it automatically bypassing the approval screen?

[dakota]

The flow that I've experienced with other oauth servers is that if it has already been approved (and the scope has not changed), a new code is generated and the user is redirected to the redirectURI.

[ajibarra]

Ok I will take a look then and make a PR. Thanks @dakota