Consent cannot be skipped for public clients using `code` response type

[kmohrf]

Hey,

#222 already touched on this but was closed. I don’t think that the issue is actually resolved.

This code path controls the per-client require-consent setting:

if not authorize.client.require_consent and (
    authorize.is_client_allowed_to_skip_consent()
    and "consent" not in authorize.params["prompt"]
):
    return redirect(authorize.create_response_uri())

So if my client doesn’t require consent it’s still going to enter authorize.is_client_allowed_to_skip_consent, which will only return True if the client is either confidential or is using one of id_token or id_token token as response types. So a public client using the code response type will always trigger consent even if require_consent is disabled for the client.

I could provide a pull request but I’m not sure why is_client_allowed_to_skip_consent would only allow skipping consent for the id_token and id_token token response types. Is there any reasoning behind this?

Thank you for your time and effort!

Cheers

Konrad

[suutari-ai]

The logic behind that originates from my commit 5165312 (#189) (and was later refactored by @mikkokeskinen in dd6fdbf/#391). I think my commit was before Authorization Code Flow with PKCE was implemented to django-oidc-provider and therefore that was not considered as on option. Therefore back in the days a public client with code flow was not a secure option to use, because it would have leaked the secret key. Clearly that logic needs to be reconsidered for the Code with PKCE flow.