OIDC extension and ClearAttributeReleaseConsent

Darren Boss darren.boss at computecanada.ca
Thu Aug 20 12:44:55 UTC 2020

It was the offline_access scope which was the cause. Thanks for the explanation.

Still ramping up on my OIDC knowledge.

On Thu, Aug 20, 2020 at 5:52 AM Henri Mikkonen <henri.mikkonen at csc.fi> wrote:
> Hi Darren,
> On 19 Aug 2020, at 15.52, Darren Boss <darren.boss at computecanada.ca> wrote:
> I don't have all that many OIDC clients yet and most are applications
> developed in house. I just setup Harbor which is an open source
> container registry with OIDC as they don't support SAML. I'm getting
> the attribute consent release on every authentication and seeing
> |harbor|ClearAttributeReleaseConsent|myuid||||
> in the logs.
> I double checked all the other registered OIDC clients and none of
> them exhibit this behavior and a few of them have the same scopes or
> even an additional scope configured and behave normally.
> I’d check if Harbor includes prompt=consent in the OIDC authentication request message [1]. Also, if offline_access scope is granted to the RP and it’s requested in the authn request [2], the consent is asked from the end-user again.
> BR,
> Henri.
> [1] https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
> [2] https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess
> --
> For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

Darren Boss
Senior Programmer/Analyst
Programmeur-analyste principal
darren.boss at computecanada.ca

More information about the users mailing list