feat: add SkipAuthorization option for OIDC clients#988
Conversation
📝 WalkthroughWalkthroughAdds ChangesSkip Authorization Flow
Estimated code review effort: 3 (Moderate) | ~20 minutes Possibly related PRs
Suggested reviewers: 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@internal/controller/oidc_controller.go`:
- Around line 209-237: The SkipAuthorization flow in oidc_controller.go is
issuing a code before the existing re-authentication checks (`prompt=login` and
`max_age`) are evaluated. Update the authorize path around the
`controller.oidc.DeleteAuthorizeRequestTicket`, `CreateSub`, and `CreateCode`
logic so consent can still be skipped only after all login freshness
requirements have passed, and ensure the same fix is applied to the other
matching authorize branch referenced in the comment.
- Line 236: The redirect in the OIDC callback is appending a new query string
with “?” in OIDCController’s callback flow, which breaks redirect URIs that
already have existing parameters. Update the redirect construction to merge the
new callback parameters into the parsed RedirectURI’s existing query values
instead of concatenating raw strings, then encode them back before calling
c.Redirect. Use the OIDC controller callback logic and the req.RedirectURI
handling as the main places to adjust, and add the needed net/url import for
parsing and rebuilding the URL.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro Plus
Run ID: cd115e3f-7d93-4130-9dbf-34f17de3bc0a
📒 Files selected for processing (2)
internal/controller/oidc_controller.gointernal/model/config.go
|
Hello @Miista. There is an issue with this implementation. Setting one flag to disable the consent screen for every single user is a bad security choice. The users should be asked for approval at least once and then we can omit the consent screen. This effectively means that we will need some sort of state, either in the browser or in the database. Additionally, even in the case where the consent screen is skipped, the authorization should still follow the same route just with I will continue progress tracking for this feature in #989. In any case, thank you for taking the time to work on this and we will definitely implement a way for the consent screen to be skipped in v5.2.0. |
|
@steveiliop56 But the user is asked once the first time they log in? We are literally only skipping if the current user is already authorized for the given application. |
Problem
When a user logs in via OIDC, they are always shown a consent screen asking them to authorize the client. For trusted, self-hosted clients this is unnecessary friction — the user is effectively asked "do you trust your own app?" every time their session expires.
Fixes #878
Solution
Add a
skipAuthorizationboolean field toOIDCClientConfig. When set totrueand the user is already authenticated, the authorize endpoint bypasses the consent screen and immediately issues the authorization code and redirects back to the client.Configuration
Environment variable:
YAML:
Notes
authorizeComplete).AI Disclosure
This pull request was developed with AI assistance (Claude). The implementation has been reviewed and is fully understood by the author.
Summary by CodeRabbit
New Features
skipAuthorizationoption for OIDC clients to bypass the consent/authorization screen when the user is already signed in and no login is forced.codeandstate).Behavior Updates
max_ageindicates the existing session is too old, login may be required even ifskipAuthorizationis enabled.