OIDC with bypassApprovalPrompt

[Charl Thiem]

Hi

I'm using CAS 6.1.7 with OIDC Server

In my service definition I have

{
  "@class" : "org.apereo.cas.services.OidcRegisteredService",
  "clientId": "client",
  "clientSecret": "secret",
  "serviceId" : "https://the-redirect-uri",
  "name": "Test",
  "id": 1,
  "supportedResponseTypes":  [ "java.util.HashSet", [ "code" ] ],
  "supportedGrantTypes":  [ "java.util.HashSet", [ "authorization_code" ] ],
  "bypassApprovalPrompt" : true,
  "scopes" : [ "java.util.HashSet",
    [  "openid", "email", "offline_access"]
  ]
}

But after sign in I still get this prompt

Is this screen expected while having bypassApprovalPrompt=true?

I was hoping to avoid this screen.

Regards / Groete

Charl Thiem

Senior Developer | +27 (0) 21 970 4000 | in...@opencollab.co.za | www.opencollab.co.za | @opencollab

---

See OpenCollab email disclaimer at http://www.opencollab.co.za/email-disclaimer

[Charl Thiem]

I have figured it out.

Turns out our external service using OIDC was sending a param to prompt for consent.

I figured this out by browsing through source code and finding org.apereo.cas.oidc.web.OidcConsentApprovalViewResolver#isConsentApprovalBypassed.

https://cas.domain.co.za/cas/oidc/authorize?prompt=consent&response_type=code&redirect_uri=https://the-redirect-uri&client_id=client&nonce=f19fe52f7d988708bb7bcb51f80984d2&state=27d138365aabe3282e15b4a88999b042&scope=email offline_access openid

Regards / Groete

Charl Thiem

Senior Developer | +27 (0) 21 970 4000 | in...@opencollab.co.za | www.opencollab.co.za | @opencollab