From 4b40dc201af4795d2f4d923e9c7ac2c4f54f4eb4 Mon Sep 17 00:00:00 2001 From: Nikos Date: Wed, 27 Mar 2024 12:40:03 +0200 Subject: [PATCH] fix: always request for consent if it is the device flow --- consent/strategy_default.go | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/consent/strategy_default.go b/consent/strategy_default.go index 00f813d67d7..19f2bb240f9 100644 --- a/consent/strategy_default.go +++ b/consent/strategy_default.go @@ -560,9 +560,13 @@ func (s *DefaultStrategy) requestConsent( // The OpenID Connect Test Tool fails if this returns `consent_required` when `prompt=none` is used. // According to the quote above, it should be ok to allow https to skip consent. // + // Device initiated flows are never allowed to skip consent, the user must always implicitly authorize the device. + // // This is tracked as issue: https://github.com/ory/hydra/issues/866 // This is also tracked as upstream issue: https://github.com/openid-certification/oidctest/issues/97 - if !(ar.GetRedirectURI().Scheme == "https" || (fosite.IsLocalhost(ar.GetRedirectURI()) && ar.GetRedirectURI().Scheme == "http")) { + if f.DeviceChallengeID != "" { + return s.forwardConsentRequest(ctx, w, r, ar, f, nil) + } else if !(ar.GetRedirectURI().Scheme == "https" || (fosite.IsLocalhost(ar.GetRedirectURI()) && ar.GetRedirectURI().Scheme == "http")) { return s.forwardConsentRequest(ctx, w, r, ar, f, nil) } }