Client impersonation

Edit online

Authorization servers must never process requests without user interaction unless the client’s identity is assured, such as through secure redirect URIs. While OIDC allows silent authentication with `prompt=none` if prior consent exists, some scenarios may require always prompting the user, which can be achieved by adding a special purpose item to force the consent page to appear.

Section https://datatracker.ietf.org/doc/html/rfc8252#section-8.6 states that The authorization server SHOULD NOT process authorization requests automatically without user consent or interaction, except when the identity of the client can be assured.. It recommends that Measures such as claimed "https" scheme redirects MAY be accepted by authorization servers as identity proof. The user is able to configure the registered redirect URIs in the application that comply with that solution.

However, whenever a user session exists and a new authorization request is triggered, the request might be processed without any user interaction. It can occur especially when a consent prompt is not required, or all the consent item were approved. This condition is not wrong because OIDC has the concept of prompt=none as defined by https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest. The Authorization Server MUST NOT display any authentication or consent user interface pages. An error is returned if an End-User is not already authenticated or the Client does not have pre-configured consent for the requested Claims or does not fulfill other conditions for processing the request. The error code will typically be login_required, interaction_required, or another code defined in Section 3.1.2.6. This can be used as a method to check for existing authentication and/or consent.

While this solution is acceptable for most applications, cases might exist where the preferred behavior is to always prompt.

The proposed solution is to inject a do-not-show purpose item to the request and force the consent page to be prompted. This solution is a three-part procedure, creating a purpose, creating a privacy policy and editing existing applications.

Client impersonation solution

Edit online

In the following procedure, the use of prompt as the purpose name, purpose ID, and the selected attribute is just an example. These fields can be any value.

Procedure

  1. Create a purpose.
    1. Select Data privacy & consent > Data purposes.
    2. Select Create purpose.
    3. Provide the general information.
      Use prompt as the purpose name and purpose ID.
    4. Select Next.
    5. Provide Default and custom settings.
      1. Skip Default duration in days.
      2. Select Default as the access type.
    6. Select Next.
    7. Select Add attributes and select email from the menu.
    8. Select Complete setup.
    9. Select Publish draft.
  2. Create a privacy policy.
    1. Select Data privacy & consent > Data privacy policy.
    2. Select Rule tab.
    3. Select Create rule.
    4. Provide the rule name Do Not Show Prompt Purpose.
    5. Select Next.
    6. Set the conditions
      1. Select Add condition set.
      2. elect Add condition.
      3. Select Purpose as Condition type.
      4. Select prompt as the Value.
    7. Select Next.
    8. Set the Consent type & decision
      1. For the Consent type, select Do not show purpose to user.
      2. For the Decision, select Explicit consent.
    9. Select Next.
    10. Skip Rule lifetime
    11. Select Create rule.
  3. Edit your existing OIDC or OIDC for Open Banking application.
    1. Open the setting on your OpenID Connect or OpenID Connect for Open Banking application.
    2. Select the Privacy tab.
    3. Select Add purposes or EULA.
    4. Select the prompt purpose.
    5. Select Add purposes or EULA.
    6. Select the Sign-on tab.
    7. Under Endpoint configuration section, edit Authorize settings.
    8. Select Edit for Consent request.
    9. Copy and paste the following rule.
      statements:
  - context: scopeExists := has(requestContext.scope)
  - context: promptScope := [
{"purpose":"prompt","attribute":"email","accessType":"default","scope":"prompt/email.default","required":false}
]
  - if:
      match: context.scopeExists
      block:
        - return: context.promptScope + requestContext.scope
      else:
        - return: context.promptScope
    10. Select OK.
    11. Select OK.
    12. Ensure that under Consent settings, the Ask for consent option is selected for User Consent.
    13. Select Save.