Setting remember=true on the consent doesn't reuse the same consent with session on subsequent calls

[wederbrand]

Hi!

In my consent-app I've configured the login to not be remembered (I'll authenticate the customer again and again if needed) but in the consent I've set remember=true. I've also added a session to the AcceptConsentRequest.

This works great on the first login with a following consent ui displayed and posted, but on subsequent calls, with getSkip() returning true, the same consent isn't reused. Do I need to set the same session again? I was under the impression that the SAME consent would be reused, including the SAME session.

If not, can I fetch that old consent and session from hydra to re-use it?

Thanks.

[Benehiko]

Hi @wederbrand

You will need to skip the consent screen yourself in the consent-app. Look at this example on the docs:
https://www.ory.sh/hydra/docs/guides/consent#skipping-consent-screen

[wederbrand]

Yes, I've done that. But the consent (in hydras database for example) isn't the same as the original consent. I thought it should be if the consent was skipped.

It's this part from the example app.
https://github.com/ory/hydra-login-consent-node/blob/4a8f50a5fbb761a49304bb3dfc7e3fe4be1a747c/src/routes/consent.ts#L47

[wederbrand]

To clarify. If I have 100 users each logging in and give consent with remember=true I would think that there would be 100 rows in the consent tables.

Now, if those 100 each login 10 more times and correctly skips the consent-steop, I would think there still be those 100 rows in the consent tables. Instead there is now 11*100 rows, one for each time they logged in, including all those times the consent ui was skipped.

They also get new hyra access tokens each time, shouldn't they get the refresh token they have already?

[aeneasr]

Now, if those 100 each login 10 more times and correctly skips the consent-steop, I would think there still be those 100 rows in the consent tables. Instead there is now 11*100 rows, one for each time they logged in, including all those times the consent ui was skipped.

That is the only way to track the tuple (login, consent, refresh token, access token) unfortunately. We are working on a patch to improve the amount of data being accumulated though!

They also get new hyra access tokens each time, shouldn't they get the refresh token they have already?

Absolutely not! The behaviour is correct, and secure.

[wederbrand]

Will a second login, re-using the old consent, invalidate previous refresh tokens?
How should the auth-code-client from the 5-minute tutorial act on any logins except the first?

The client will have a refresh-token for offline use since the first and initial login, and now there is a new one sent on any subsequent login. Should it replace the old one? Will the old one be valid or invalidated?

It seems to me that there will be a lot of active and valid refresh-tokens produced and sent to the auth-code-client.

Is the client expected to not ask for the offline scope on any but the first login?