Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[google connector] prompt=consent on all offline_access scopes #3450

Open
3 tasks done
TheRealNoob opened this issue Apr 4, 2024 · 5 comments
Open
3 tasks done

[google connector] prompt=consent on all offline_access scopes #3450

TheRealNoob opened this issue Apr 4, 2024 · 5 comments
Labels
help wanted

Comments

@TheRealNoob
Copy link

TheRealNoob commented Apr 4, 2024
edited

Preflight Checklist

  • I agree to follow the Code of Conduct that this project adheres to.
  • I have searched the issue tracker for an issue that matches the one I want to file, without success.
  • I am not looking for support or already pursued the available support channels without success.

Version

2.39.0

Storage Type

Kubernetes

Installation Type

Official Helm chart

Expected Behavior

Dex should omit the prompt field when using the Google connector. Or allow it to be configurable using config.promptType.

Actual Behavior

If someone opens an authentication flow against Dex with scope=["offline_access"] then dex includes prompt=consent on its request to Google every time (this code). This is adds unnecessary dialogue boxes for the user. Per Google's docs:

You can prompt the user to re-authorize your app by setting the prompt parameter to consent in your authentication request. When prompt=consent is included, the consent screen is displayed every time your app requests authorization of scopes of access, even if all scopes were previously granted to your Google APIs project. For this reason, include prompt=consent only when necessary.

Per these docs (see the table) if you omit the prompt field, then Google will prompt on first consent and not after.

Steps To Reproduce

No response

Additional Information

No response

Configuration

No response

Logs

No response
@nabokihms
Copy link
Member

nabokihms commented Apr 9, 2024
edited

Making it configurable is a good improvement.

@TheRealNoob
Copy link
Author

@nabokihms it seems it's not possible to omit the prompt field via promptType. Perhaps there's another way? Or if it's added to the Google connector, it would only make sense that it would have to added to all?

@abhisek
Copy link
Contributor

abhisek commented Apr 13, 2024

Looks like a simple fix to me that involves:

  1. Introduce a new configuration parameter, essentially a boolean toggle
  2. Based on the config, include or skip adding oauth2.SetAuthURLParam("prompt", "consent") in the LoginURL

Skipping prompt=consent in LoginURL is not a problem because Google will automatically ask for consent first time as per documentation.

p.s: Apologies if the suggestion is way off the mark. I just glanced through the Google connector code and not entirely familiar with the larger dex codebase yet.

@nabokihms
Copy link
Member

nabokihms commented Apr 13, 2024
edited

I believe the behavior should be the same as that of the generic OIDC connector

dex/connector/oidc/oidc.go

Line 244 in 1ca4583

// PromptType should be "consent" by default, if not set

As for me, the fix also looks straightforward

@abhisek abhisek mentioned this issue Apr 13, 2024
Merged
@abhisek
Copy link
Contributor

abhisek commented Apr 13, 2024

@nabokihms I raised a PR to allow explicit prompt configuration for the Google connector. I don't think we can skip the value entirely without "misaligning" with the behaviour of consent as default prompt used in generic OIDC connector

@abhisek abhisek mentioned this issue Apr 15, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@abhisek @TheRealNoob @nabokihms