refresh_token available without going through consent

[lhoekenga]

The OIDC extension will issue refresh tokens w/o the RP specifying prompt=consent

Acc'd to https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess

When offline access is requested, a prompt parameter value of consent MUST be used unless other conditions for processing the request permitting offline access to the requested resources are in place. The OP MUST always obtain consent to returning a Refresh Token that enables offline access to the requested resources. A previously saved user consent is not always sufficient to grant offline access.

Of similar concern, but probably a separate issue - "prompt=consent" only displays consent if relying-party.xml has added the attribute-release flow to OIDC.SSO..

<bean parent="OIDC.SSO" p:postAuthenticationFlows="attribute-release" />

[jalauros]

The OIDC extension relies on having post authentication flow "attribute-release" for asking consent. If you remove it, the consent will not be asked. That should be the case with both of your issues. Add back the "attribute-release" post authentication flow and consent shall be asked in those cases.

[jalauros]

You should note that there has been a bug for client side storage handling, effectively causing consent being asked over and over again (if client side storage has been used for it). So if that has been the reason to remove the post authentication flow "attribute-release" there is a fix. Use server side storage or wait for 1.1 release or just apply the commit that closes #24 that fixing the client side storage.