Skip to content

Commit a9c907d

Browse files
authored
Add prompt=consent for OIDC offline_access scope (#681)
1 parent 5b99c24 commit a9c907d

File tree

2 files changed

+21
-0
lines changed

2 files changed

+21
-0
lines changed

src/client/auth.test.ts

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -714,6 +714,20 @@ describe("OAuth Authorization", () => {
714714
expect(authorizationUrl.searchParams.has("state")).toBe(false);
715715
});
716716

717+
// OpenID Connect requires that the user is prompted for consent if the scope includes 'offline_access'
718+
it("includes consent prompt parameter if scope includes 'offline_access'", async () => {
719+
const { authorizationUrl } = await startAuthorization(
720+
"https://auth.example.com",
721+
{
722+
clientInformation: validClientInfo,
723+
redirectUrl: "http://localhost:3000/callback",
724+
scope: "read write profile offline_access",
725+
}
726+
);
727+
728+
expect(authorizationUrl.searchParams.get("prompt")).toBe("consent");
729+
});
730+
717731
it("uses metadata authorization_endpoint when provided", async () => {
718732
const { authorizationUrl } = await startAuthorization(
719733
"https://auth.example.com",

src/client/auth.ts

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -614,6 +614,13 @@ export async function startAuthorization(
614614
authorizationUrl.searchParams.set("scope", scope);
615615
}
616616

617+
if (scope?.includes("offline_access")) {
618+
// if the request includes the OIDC-only "offline_access" scope,
619+
// we need to set the prompt to "consent" to ensure the user is prompted to grant offline access
620+
// https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess
621+
authorizationUrl.searchParams.append("prompt", "consent");
622+
}
623+
617624
if (resource) {
618625
authorizationUrl.searchParams.set("resource", resource.href);
619626
}

0 commit comments

Comments
 (0)