Help get this topic noticed by sharing it on Twitter, Facebook, or email.

How to handle prompt=login parameter in case of first authorize call (no session)

with my team we ́re working to deliver an ID system compliant with OpenId Connect and we ́re currently in trouble with the interpretation of prompt parameter, especially when the "login" value is passed.

From OIC specification:

OPTIONAL. Space delimited, case sensitive list of ASCII string values that specifies whether the Authorization Server prompts the End-User for reauthentication and consent. [...]

The Authorization Server SHOULD prompt the End-User for reauthentication. If it cannot reauthenticate the End-User, it MUST return an error, typically login_required.

The specification here is just talking about "reauthentication" and it doesn't explain extensively how a system should/must react when this parameter is provided in the first authorize call performed by a user (hence no session).

In our implementation we agreed to use a set acr_values (in absolute URL format, but for the sake of simplicity called just BRONZE & SILVER) that drive the user experience in different direction:

- In case of Bronze we try to avoid as much as possible any user interaction, attempting to recognize the user in multiple ways and authorize in the system based on the trusted information we are able to retrieve (eg: pre-registered unique application id, automatic recognition of the user over network etc etc).

- In case of Silver value the user is presented with a higher set of information required to complete the authorization process (eg: password).

Our main problem is how to react in case the acr requested is set to Bronze (hence, no user interaction if possible) but prompt parameter is set to "login".

should we force the user to interact with the system prompting any kind of authentication mechanism or just ignore the value (since is the first authentication).

I hope I ́ve been clear.

Tnx in advance for support

1 person has
this question