Skip to content

feat: add SkipAuthorization option for OIDC clients#988

Closed
Miista wants to merge 5 commits into
tinyauthapp:mainfrom
Miista:feat/oidc-client-skip-authorization
Closed

feat: add SkipAuthorization option for OIDC clients#988
Miista wants to merge 5 commits into
tinyauthapp:mainfrom
Miista:feat/oidc-client-skip-authorization

Conversation

@Miista

@Miista Miista commented Jul 9, 2026

Copy link
Copy Markdown

Problem

When a user logs in via OIDC, they are always shown a consent screen asking them to authorize the client. For trusted, self-hosted clients this is unnecessary friction — the user is effectively asked "do you trust your own app?" every time their session expires.

Fixes #878

Solution

Add a skipAuthorization boolean field to OIDCClientConfig. When set to true and the user is already authenticated, the authorize endpoint bypasses the consent screen and immediately issues the authorization code and redirects back to the client.

Configuration

Environment variable:

TINYAUTH_OIDC_CLIENTS_<NAME>_SKIPAUTHORIZATION=true

YAML:

oidc:
  clients:
    myapp:
      skipAuthorization: true

Notes

  • Only skips the consent screen if the user is already authenticated. If not authenticated, the normal login + consent flow applies.
  • The ticket is cleaned up immediately (same as the normal post-consent path).
  • Old sessions are deleted before issuing the code (same behaviour as authorizeComplete).

AI Disclosure

This pull request was developed with AI assistance (Claude). The implementation has been reviewed and is fully understood by the author.

Summary by CodeRabbit

  • New Features

    • Added a skipAuthorization option for OIDC clients to bypass the consent/authorization screen when the user is already signed in and no login is forced.
    • For supported cases, authorization now completes immediately and redirects back to the requesting app with the authorization response (code and state).
  • Behavior Updates

    • When max_age indicates the existing session is too old, login may be required even if skipAuthorization is enabled.

@dosubot dosubot Bot added the size:M This PR changes 30-99 lines, ignoring generated files. label Jul 9, 2026
@coderabbitai

coderabbitai Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

📝 Walkthrough

Walkthrough

Adds SkipAuthorization to OIDC client config and updates authorize so authenticated requests can complete directly with an authorization code when consent skipping is enabled.

Changes

Skip Authorization Flow

Layer / File(s) Summary
Config field for skip authorization
internal/model/config.go
Adds SkipAuthorization bool to OIDCClientConfig with YAML key skipAuthorization,omitempty.
Authorization redirect path
internal/controller/oidc_controller.go
Derives forceLogin from prompts and session age, then either returns a direct redirect_uri response with code and state for skip-authorization clients or continues to the consent screen flow.

Estimated code review effort: 3 (Moderate) | ~20 minutes

Possibly related PRs

Suggested reviewers: scottmckendry

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Linked Issues check ✅ Passed The PR adds a per-client skipAuthorization setting and bypasses the consent screen for authenticated users, matching issue #878.
Out of Scope Changes check ✅ Passed The changes stay focused on OIDC consent skipping and related authorize-flow handling, with no unrelated scope evident.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the main change: adding a SkipAuthorization option for OIDC clients.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@internal/controller/oidc_controller.go`:
- Around line 209-237: The SkipAuthorization flow in oidc_controller.go is
issuing a code before the existing re-authentication checks (`prompt=login` and
`max_age`) are evaluated. Update the authorize path around the
`controller.oidc.DeleteAuthorizeRequestTicket`, `CreateSub`, and `CreateCode`
logic so consent can still be skipped only after all login freshness
requirements have passed, and ensure the same fix is applied to the other
matching authorize branch referenced in the comment.
- Line 236: The redirect in the OIDC callback is appending a new query string
with “?” in OIDCController’s callback flow, which breaks redirect URIs that
already have existing parameters. Update the redirect construction to merge the
new callback parameters into the parsed RedirectURI’s existing query values
instead of concatenating raw strings, then encode them back before calling
c.Redirect. Use the OIDC controller callback logic and the req.RedirectURI
handling as the main places to adjust, and add the needed net/url import for
parsing and rebuilding the URL.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: cd115e3f-7d93-4130-9dbf-34f17de3bc0a

📥 Commits

Reviewing files that changed from the base of the PR and between 405d910 and a47ba05.

📒 Files selected for processing (2)
  • internal/controller/oidc_controller.go
  • internal/model/config.go

Comment thread internal/controller/oidc_controller.go Outdated
Comment thread internal/controller/oidc_controller.go Outdated
@steveiliop56

Copy link
Copy Markdown
Member

Hello @Miista.

There is an issue with this implementation. Setting one flag to disable the consent screen for every single user is a bad security choice. The users should be asked for approval at least once and then we can omit the consent screen. This effectively means that we will need some sort of state, either in the browser or in the database. Additionally, even in the case where the consent screen is skipped, the authorization should still follow the same route just with prompt=none. We already have the API endpoint for completing authorization, there is no need to duplicate code.

I will continue progress tracking for this feature in #989.

In any case, thank you for taking the time to work on this and we will definitely implement a way for the consent screen to be skipped in v5.2.0.

@Miista

Miista commented Jul 10, 2026

Copy link
Copy Markdown
Author

@steveiliop56 But the user is asked once the first time they log in?

We are literally only skipping if the current user is already authorized for the given application.

@steveiliop56

Copy link
Copy Markdown
Member

This is the issue, the user is asked once when they log in. But, what if you are already logged in? Then the authorization gets skipped altogether.

In my approach, I plan on also tying the cookie with the user session so, if you log out you will have to authorize again.

@Miista

Miista commented Jul 10, 2026

Copy link
Copy Markdown
Author

That sounds good 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

size:M This PR changes 30-99 lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[FEATURE] Allow skipping or remembering OIDC authorization consent for trusted clients

2 participants