Is OAuth user approval the same as user authentication?

Question

Trying to lookup what autoApprove does in spring boot oauth, and there's a question here titled Skip OAuth user approval in Spring Boot OAuth2 that talks about it. Is user approval the same thing as user authentication. In other words when autoApprove is set to true for the the client, user authentication is skipped?

Answer 1

Authentication and approval are not the same, see RFC6749:

4.1.1. Authorization Request

[...] The authorization server validates the request to ensure that all required parameters are present and valid. If the request is valid, the authorization server authenticates the resource owner and obtains an authorization decision (by asking the resource owner or by establishing approval via other means).

When a decision is established, the authorization server directs the user-agent to the provided client redirection URI using an HTTP redirection response, or by other means available to it via the user-agent.

Spring OAuth2's autoApprove skips the approval (establishing approval via other means), see UserApprovalHandler.html#checkForPreApproval:

Provides a hook for allowing requests to be pre-approved (skipping the User Approval Page). Some implementations may allow users to store approval decisions so that they only have to approve a site once. This method is called in the AuthorizationEndpoint before sending the user to the Approval page. If this method sets oAuth2Request.approved to true, the Approval page will be skipped.

See also:

• OAuth2 SSO with Spring Boot without the authorization screen
• How to bypass access confirmation step in Spring security OAuth2 if user has previously authorized access?