Authorization Code Grant Flow: login before receiving code

[thomas-advantitge]

I'm trying to use Authorizer as an OAuth2 server (OpenID compatible).

Executing the following request:

/authorize?state=<state>&client_id=<client_id>&response_type=code

results in a redirect (even without code_challenge specified) to:

/app/?state=<state>&scope=openid%20profile%20email&redirect_uri=/app&code=<code>

This behaviour happens regardless of an existing session or not. In case of no session, the login form of the /app application is shown. However, an authorization code (<code> in the path above) is already present. Is this expected without the user first proving login/consent?

I'm referring to step 4-5-6 in the below diagram (https://auth0.com/docs/get-started/authentication-and-authorization-flow/authorization-code-flow-with-proof-key-for-code-exchange-pkce#how-it-works):

[lakhansamani]

@thomas-advantitge thank you for sharing this flow
We are missing the consent for sure. We can create an issue for that and take it forward

For other code flow concerns, can you please share reproducible steps?

[thomas-advantitge]

Thanks for the clarification!
(I've made an issue linked to this discussion for future reference)