OAuth 3LO Flow: Why am I shown the consent screen multiple times?

I’m developing a new application and I’m getting the “consent” screen more than once when testing locally.

My current flow is:

  1. Try the login with none as prompt
  2. When I get an error in the callback URL I retry the authorization with consent as prompt

However after the access token expires after 1 hour, and I login again I also have to give consent again. I can see in the bottom of the consent screen that 1 user has given consent (me). So it is stored that I already have given consent. I’m aware that I can request another access token with a refresh token, but I don’t understand why consent is asked again without changes in scopes.

Is this expected behavior? I can’t find any information about that in the docs.

Thanks a lot and have a great day.

Kind regards,
Adrian

It seems the implementation is slightly incorrect.
Here it looks like, on access token expiration, the user is directed to consent screen again. Ideally, once the access token is expired, you should try to get it again using refresh token. If the access token is not received using refresh token, then the user will have to go through the consent flow again.

Also, make sure you are aware of https://api.atlassian.com/oauth/token/accessible-resources that retrieve the sites that have scopes granted by the token. You can find out more about it in FAQ section of our 3LO documentation.

Hi,

thanks! I’ve tested this quite a bit during the last weeks. I think I figured out how to avoid showing the consent screen more than once.

What I figured out is that the prompt needs to change depending on the error code that is provided in the callback URL.

Error login_required -> prompt=login
Error consent_required -> prompt=consent
Error unauthorized -> prompt=login

The documentation states

  • prompt : ( required ) Set to consent so that the screen prompting the user to grant access will display.

Do you think that I handle the errors correctly? Am I missing some errors?
Maybe that bit can be added to the documentation?

Thanks a lot.

Kind regards,
Adrian