Can't validate access token via OAuth2/OpenID Connect with prompt=none parameter on WSO2 Identity Server

5
votes

An according to OpenID Connect Core 1.0 specification, if authentication request contains parameter prompt with value none, server must process it the following way:

The Authorization Server MUST NOT display any authentication or consent user interface pages. An error is returned if an End-User is not already authenticated or the Client does not have pre-configured consent for the requested Claims or does not fulfill other conditions for processing the request. The error code will typically be login_required, interaction_required, or another code defined in Section 3.1.2.6. This can be used as a method to check for existing authentication and/or consent.

My problem is that whenever I try to validate access token received before this way (passing prompt=none pair along with other required parameters), WSO2 IS server always replies with code 302 and redirect to login page. Below is the corresponding output from following cURL command:

curl -v -k -X GET "https://localhost:9443/oauth2/authorize?prompt=none&scope=openid&client_id=BpMCycs5nBuZCpVLwSE5f6Hf5CYa&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fmy-app%2Fmy-ctx" --header "Authorization: Bearer a65544593fg9c67rbf95fc24a6953cb4"

> GET /oauth2/authorize?prompt=none&scope=openid&client_id=BpMCycs5nBuZCpVLwSE5f
6Hf5CYa&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fmy-app%2Fmy-ctx HTTP/1.1
> User-Agent: curl/7.30.0
> Host: localhost:9443
> Accept: */*
> Authorization: Bearer a65544593fg9c67rbf95fc24a6953cb4
>
< HTTP/1.1 302 Found
< Date: Thu, 14 Aug 2014 17:01:17 GMT
< Location: https://localhost:9443/commonauth/?sessionDataKey=bf5be153-4j31-429b
-9fa6-97rr27da213&type=oidc&commonAuthCallerPath=/oauth2/authorize&forceAuthent
icate=false&checkAuthentication=false&relyingParty=BpKCycd5dBfZdpVswSE5f6Hf5CYa&
tenantId=-1234&prompt%3Dnone%26scope%3Dopenid%26client_id%3DBpKCycr5dBuZCpVBwSE5
f6Hf5CYa%26response_type%3Dcode%26redirect_uri%3Dhttp%253A%252F%252Flocalhost%25
3A8080%252Fmy-app%252Fmy-ctx

Could someone tell me - it's problem in authentication request itself and I did something wrong or WSO2 IS server behaviour in this case doesn't conform to the specification?

I work with WSO2 Identity Server 5.0.0

Thanks in advance for your answers!

2
oauth-2.0wso2wso2isopenid-connect
Did you ever figure this out? I have the same question. Documention is almost non-existent afaik.Raf
Your request seems OK. Ask the implementor of WSO2 Identity Server about whether prompt=none is implemented or not.Takahiko Kawasaki

2 Answers

2
votes

According to the spec The prompt parameter can be used by the Client to make sure that the End-User is still present for the current session or to bring attention to the request. If this parameter contains none with any other value, an error is returned.

But in this request only send none as prompt value, So prompt value is set to none with any other value it gives an error.

Example:

curl -v -k -X GET "https://localhost:9444/oauth2/authorize?prompt=none+login&scope=openid..."

0
votes

Maybe you can use following request to validate token:

curl -k -H "Authorization: Bearer <token>" \
https://localhost:9443/oauth2/userinfo?schema=openid

It returns user info if user is authenticated. I know that this is workaround and you cannot get token expire data, but in some case can be useful. I came here with the similar problem and your question gave me idea how to solve it.