Preflight checklist
Ory Network Project
No response
Describe the bug
Today I wanted to setup an OCIS instance together with the accompanying ownCloud Android App. The Android App is using the following (hardcoded) configuration:
<string name="oauth2_redirect_uri_scheme">oc</string>
<string name="oauth2_redirect_uri_host">android.owncloud.com</string>
<string name="oauth2_redirect_uri_path"></string>
<string name="oauth2_openid_scope">openid offline_access email profile</string>
<string name="oauth2_openid_prompt">select_account consent</string>
Source: https://github.com/owncloud/android/blob/4bb98f0715e7bd33cbd01946d2f9d23ba7671113/owncloudApp/src/main/res/values/setup.xml#L93
This effectively results in the following HTTP query params during the OIDC flow. Please focus on the prompt param:
?client_id=...
&code_challenge=...
&code_challenge_method=S256
&login_verifier=...
&prompt=select_account+consent
&redirect_uri=oc%3A%2F%2Fandroid.owncloud.com
&response_type=code
&scope=openid+offline_access+email+profile&state=...
According to the Authentication Request spec, this is legitimate. However, it leads to the following error message:
"error": {
"debug": "",
"message": "invalid_request",
"reason": "Used unknown value '[select_account consent]' for prompt parameter",
"status": "Bad Request",
"status_code": 400
}As far as I can tell (and according to #1943), Hydra is unable to handle multiple user sessions at once and hence the "user account selection" could simply be skipped (as there is always at most one active session). The consent screen logic is also already implicitly handled by Hydra, so that one could be skipped/ignored as well IMO.
I wonder what the suggested approach to handle this? Given that the request is well-formed and Hydra is OpenID Certified, I cannot believe that there isn't a (clean) way around this? (other than rewriting the URL).
Reproducing the bug
- Download the official ownCloud Android app https://play.google.com/store/apps/details?id=com.owncloud.android&hl=en
- Connect to an ownCloud instance which is setup to use a Hydra-backed OIDC provider for authentication.
Relevant log output
Relevant configuration
Version
v2.3.0
On which operating system are you observing this issue?
Linux
In which environment are you deploying?
Docker Compose
Additional Context
No response
Preflight checklist
Ory Network Project
No response
Describe the bug
Today I wanted to setup an OCIS instance together with the accompanying ownCloud Android App. The Android App is using the following (hardcoded) configuration:
This effectively results in the following HTTP query params during the OIDC flow. Please focus on the
promptparam:According to the Authentication Request spec, this is legitimate. However, it leads to the following error message:
As far as I can tell (and according to #1943), Hydra is unable to handle multiple user sessions at once and hence the "user account selection" could simply be skipped (as there is always at most one active session). The consent screen logic is also already implicitly handled by Hydra, so that one could be skipped/ignored as well IMO.
I wonder what the suggested approach to handle this? Given that the request is well-formed and Hydra is OpenID Certified, I cannot believe that there isn't a (clean) way around this? (other than rewriting the URL).
Reproducing the bug
Relevant log output
Relevant configuration
Version
v2.3.0
On which operating system are you observing this issue?
Linux
In which environment are you deploying?
Docker Compose
Additional Context
No response