OIDC extension and ClearAttributeReleaseConsent

Henri Mikkonen henri.mikkonen at csc.fi
Thu Aug 20 09:52:12 UTC 2020

Hi Darren,

> On 19 Aug 2020, at 15.52, Darren Boss <darren.boss at computecanada.ca> wrote:
> I don't have all that many OIDC clients yet and most are applications
> developed in house. I just setup Harbor which is an open source
> container registry with OIDC as they don't support SAML. I'm getting
> the attribute consent release on every authentication and seeing
> |harbor|ClearAttributeReleaseConsent|myuid||||
> in the logs.
> I double checked all the other registered OIDC clients and none of
> them exhibit this behavior and a few of them have the same scopes or
> even an additional scope configured and behave normally.

I’d check if Harbor includes prompt=consent in the OIDC authentication request message [1]. Also, if offline_access scope is granted to the RP and it’s requested in the authn request [2], the consent is asked from the end-user again.


[1] https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest <https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest>
[2] https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess <https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200820/2960d1ad/attachment.htm>

More information about the users mailing list