Allow first party apps to skip the consent dialog

[matt-allan]

Description

If I am running two apps, app.my-app.test and admin.my-app.test, both of them are first party applications, and I am using the auth code grant or implicit grant to authorize admin.my-app.test with the Passport server running on app.my-app.test, the user will currently see a consent dialog like this:

Since both of these applications are first party apps I would like to be able to skip the consent dialog.

A good example of this is Google. If you go to mail.google.com and are not logged in, you will be redirected to accounts.google.com. You will not see a consent screen but instead will continue to the normal login screen.

Another example of this is Auth0 - they let you skip the consent dialog for first party apps.

Otka lets you specify what scopes should require consent.

edit: Looks like doorkeeper in ruby, Django OAuth Toolkit, and IdentityServer in .NET support this too.

The OAuth 2.0 IETF doc allows this explicitly:

If the request is valid,
the authorization server authenticates the resource owner and obtains
an authorization decision (by asking the resource owner or by
establishing approval via other means).

Rationale

Developers (understandably) don't want to show a consent screen for their own apps. I've seen developers reach for the password grant instead because there is no consent screen involved.

The password grant doesn't allow you to prompt user for multi factor authentication, use social login, etc, doesn't support single sign on, and trains users to get phished. It's less secure and shouldn't really be used.

Skipping the consent screen is already supported by other major OAuth providers. It doesn't create a security risk as long as it's limited to first party clients.

It's currently difficult to add this yourself. You have to override the Authorization controller which requires copying ~30 lines of code. Then you have to register a route but it needs to be registered after the AuthServiceProvider runs; otherwise Passport overwrites it.

Implementation Thoughts

We would need a way to determine if the client is first party or not. Maybe add a boolean column?

Alternatively we could allow registering a callback, i.e.

Passport::canSkipConsent(function (Client $client) {
    return $client->isFirstParty();  // This is a made up method the user added themselves
});

I like the idea of the callback because it's backwards compatible and flexible enough to accommodate any use case.

Maybe in the next major version the callback could default to $client->isFirstParty() and we could add the boolean column?

I'd be willing to write the PR. What do you think?

[donovanhare]

+1 for this. I have been using a custom implementation of this since moving from Auth0 👀.

See #243 for a full thread of people wanting this.

I am also happy to PR.

[matt-allan]

Ah, I didn't see that one or #529. Well if we can't add the boolean to the table maybe we can at least add the canSkipConsent hook?

[donovanhare]

Yeah, lots of ideas floating around in those issues...

Personally, I would like to see the boolean added to the clients table, I just think it makes sense as it is not rare for an application to need a first party OAuth client.

Pending a seal of approval, I don't see why we would not be able to do this for the next major release.

Otherwise I agree with you on the callback front - it would offer some flexibility without breaking anything.

@driesvints thoughts? 🤔

[matt-allan]

I've got this working on a branch but I'm not sure about the implementation yet.

You could use it like this:

// Allow first party clients to skip the authorization prompt.
Passport::skipAuthorization(function (Client $client, array $scopes) {
    return $client->firstParty();
});

// Allow first party clients that only request the email scope to skip the authorization prompt.
Passport::skipAuthorization(function (Client $client, array $scopes) {
    return $client->firstParty() &&
        collect($scopes)->pluck('id')->all() === ['email'];
});

It might be more flexible than what everyone really needs. There is already a Client::firstParty method so maybe it makes more sense to add a Passport setting that determines if we should skip authorization when Client::firstParty returns true.

[driesvints]

You can try to attempt another PR but since Taylor rejected the previous one I don't know if there's much success of getting this in.

[matt-allan]

I’m hoping if we limit the scope and don’t include database migrations etc there will be a better chance of merging it 😁.

[driesvints]

This is implemented now.