Authorization flow

[tomkersten]

The following behaviors are present which seem to be out of line with my expectations:

When signing into a client application:

1. If the visitor has already logged into the auth server, the session is not "remembered" forcing them to log in every time.
2. When a visitor has logged out of a client application and attempts to log back into an application they have already authorized, they are prompted with an authorization request every time (vs remembering they had previously authorized the application).
3. Trusted applications are prompting for authorization.

[christiansmith]

@tomkersten,

1. The behavior you're looking for works at the /authorize endpoint, but not the /signin endpoint. It should be as simple as adding oidc.requireSignin to the middleware stack for that route. Whether or not we should do this at the signin/signup/connect endpoints is an open question.
2. should only be an issue at the moment with 3rd party clients, because trusted clients skip the user consent step. I'll made another issue Reuse previous user consent when reauthorizing a third party client #26 so we can track this separately.
3. for some reason I can't reproduce this. I just tried with a fresh install and it works fine. We might have missed something in our last pairing session. Could you give it another try and let me know if it's still behaving unexpectedly?

Thanks!

[tomkersten]

1. Hmm. Ok. I'll verify the behavior I witnessed against the current release and check back if I'm not seeing this...
2. Great.
3. Will do.

[christiansmith]

Closing this for now. Reopen if necessary.