prompt=none redirects to login screen.

[dopry]

Describe the bug
When trying to do silent login or prompt=none login /o/authorize redirects to the login screen.

This is because it oauth2_provider.views.AuthorizationView extends LoginRequiredMixin via BaseAuthorizationView.

To Reproduce

setup any OIDC silent auth enabled client, I used https://github.com/dopry/svelte-oidc, with the django oauth toolkit and enable the chrome debugger in your browser, login then reload the client.

You will see a request to http://127.0.0.1:8000/o/authorize/... in an iframe with a 302 Location redirect to /admin/login?next=/o/authorize/

you will also see in the console fused to display 'http://127.0.0.1:8000/' in a frame because it set 'X-Frame-Options' to 'deny'.

Expected behavior

per https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest

prompt - OPTIONAL. Space delimited, case sensitive list of ASCII string values that specifies whether the Authorization Server prompts the End-User for reauthentication and consent. The defined values are:

• none

The Authorization Server MUST NOT display any authentication or consent user interface pages. An error is returned if an End-User is not already authenticated or the Client does not have pre-configured consent for the requested Claims or does not fulfill other conditions for processing the request. The error code will typically be login_required, interaction_required, or another code defined in Section 3.1.2.6. This can be used as a method to check for existing authentication and/or consent.

and there should be no xframe deny error.

Version

25f6de5

• I have tested with the latest published release and it's still a problem.
• I have tested with the master branch and it's still a problem.

Additional context

[pi3ch]

Yes, getting the same problem.

https://github.com/jazzband/django-oauth-toolkit/blob/d66608bb72ddcf42b69a324306388a698dee4545/oauth2_provider/views/base.py#L150C9-L152C46

prompt = request.GET.get("prompt")
        if prompt == "login":
            return self.handle_prompt_login()

There is no handling of the prompt == "none".

Also for some reason, I am unable to overwrite Authorize view.
@dopry did you have any success here or workaround?

[dopry]

@pi3ch I haven't had time to address this issue yet. A PR would be welcome, but this is also on my radar right now as I need it for a client project.

[dopry]

I was working with @andyzickler on this issue. There are two things the need to be addressed to get prompt=none working.

• LoginRequiredMixin redirects to login screen when there is no session. It prempt the upstream OAuthLib prompt=none handling.

  • we are currently planning to remove the LoginRequiredMixin and figure out if a custom dispatch is required here.

• validate_silent_login only gets a OAuthLib.common.Request which doesn't have the session user from the Django Request so there is no convenient way to check if the user has a current session.

  • we are currently considering two appraoches to resolve this issue.
    1. replicate the work of the session and auth middleware in the validate_silent_login hook
    2. inject the request.user into the OAuthLib.common.Request when it is created so it will be available to DOT hooks.