LoginRequest's skip field is set to true for another client / different scopes #3862

clement-buchart · 2024-10-23T15:37:10Z

clement-buchart
Oct 23, 2024

Hello,

The documentation for the skip field of the LoginRequest says :

	// Skip, if true, implies that the client has requested the same scopes from the same user previously.
	// If true, you can skip asking the user to grant the requested scopes, and simply forward the user to the redirect URL.

Yet, if i authenticate with clientA on websiteA, and then start a login flow with clientB on websiteB, requesting an additional scope, the login request still has the skip parameter to true.

Looking at the code, I don't see any check on the scope or client when deciding to skip the login.
It seems like skip is simply set to true if while processing the request, the subject is known :

hydra/consent/strategy_default.go

Lines 202 to 204 in 9cc5f28

    
           if subject != "" { 
        
           	skip = true 
        
           }

Which of course is the case if a previous session is found via cookie. :
https://github.com/ory/hydra/blob/9cc5f28825bb80398a9830d4fcb220147f74504c/consent/strategy_default.go#L123C32-L169

Is this a bug or just a documentation oversight ?

Cheers,
Clément.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

LoginRequest's skip field is set to true for another client / different scopes #3862

{{title}}

Replies: 0 comments

Select a reply

LoginRequest's skip field is set to true for another client / different scopes #3862

clement-buchart Oct 23, 2024

Replies: 0 comments

clement-buchart
Oct 23, 2024