The Authorization Server requires End-User consent when set the offline_access scope

[sdayu]

After updating to 2024.2.1, refresh_token required offline_access, When I set the provider scope and identified offline_access scope in the client. Authentik shown

consent_required: The Authorization Server requires End-User consent

Please, help me to solve this problem.

[BramVandenbossche]

I had the same issue with my harbor instance after upgrading from 2023.10.7 -> 2024.2.1. For me it was solved when I placed the scopes in the same order as in authentik. I first added offline_access at the end, resulting in your issue. I have it now configured as this:

[nima-karimi]

I also have this issue with Grafana as the client (reordering the scopes did not help). The client needs to send a prompt=consent parameter when requesting offline_access scope (#), but Grafana doesn't do that.

If I manually add the prompt parameter to the auth URL in Grafana, it works and takes me to the consent page. E.g., https://auth.example.com/application/o/authorize/?prompt=consent

The error is coming from this line:

authentik/authentik/providers/oauth2/views/authorize.py

Lines 257 to 260 in 7359057

	if PROMPT_CONSENT not in self.prompt:
	raise AuthorizeError(
	self.redirect_uri, "consent_required", self.grant_type, self.state
	)

[bbaumgartl]

Thank you @nima-karimi this worked. A downside is that the user always gets asked for their consent because the it is not saved in the user account anymore.

PS: If i set the Authorization Flow of the Provider from implicit to explicit the consent is saved. This seems kinda counterintuitive and in my opinion makes the use of the implicit flow useless. Is this the intended behaviour?

[BeryJu]

@nima-karimi I suppose there was a mistake in the interpretation of the spec there, seeing as if prompt=consent isn't set authentik is supposed to just pretend the offline_access scope wasn't requrested

@bbaumgartl The reason for this is when using a flow without a consent stage and the prompt=consent parameter is set, authentik will inject a consent stage into the flow that requires consent to always be given. If there already is such a stage in the flow (like with the default explicit authorization flow) then the OAuth provider can't change it so the settings of that stage will have higher priorty

[Fuseteam]

@nima-karimi I suppose there was a mistake in the interpretation of the spec there, seeing as if prompt=consent isn't set authentik is supposed to just pretend the offline_access scope wasn't requrested

it seems authentik is not doing this as of 2024.12.3 #13068