0

I am playing around with oauth2 using auth0. I that I am able to send simulate the implicit flow using a REST client. My problem is that I am able to get the user details without a consent screen being popped up. The flow is as follows 1. I send the username, password, and client Id. 2. Get the access token 3. Send the request asking for user information using the access token in step 2. Here I get the response back with the user details, however there is no consent screen, popping up to the user to grant access. Istn't this like a flaw?

user3547774
  • 1,621
  • 3
  • 20
  • 46
  • You should pop the remote authorization screen. So something should always popup. However, it may happen (depending on the remote system) that if you already authenticated on the remote server (via your active session/cookie) then the grant is given directly and the popup closes. – Simon Dec 12 '16 at 00:19
  • Nope, I did not grant the access from a pop up. Is there any flow where the pop up (consent) is not required? I am actually using the following https://YOUR_AUTH0_DOMAIN/oauth/ro https://auth0.com/docs/api/authentication#!#post--oauth-ro – user3547774 Dec 12 '16 at 00:24
  • 1
    If you use the implicit flow using the client credentials (username, password), the workflow assumes that you have the consent because you have his password somehow. Then there is no confirmation and the response is direct. – Simon Dec 12 '16 at 00:35

0 Answers0