Bug #17335
closed
OpenID Connect 'prompt' parameter should be configurable
Description
When controller redirects the user to the OpenID Connect endpoint, it sets "prompt=select_account". This is supported by Google but with PingFederate it results in a "not supported" error, so the user cannot log in. "prompt" seems to be an optional field in OIDC, so presumably you get default behavior if it isn't explicitly included. The "prompt" value should be configurable, or not added at all when the configuration value is blank.
Suggested behavior:
- Google login continues to use prompt=select_account
- OIDC configuration gets an "ExtraParameters" section that allows providing arbitrary parameters that will be set with AuthURLParam().
Files
Updated by Peter Amstutz almost 4 years ago
- Status changed from New to In Progress
Updated by Peter Amstutz almost 4 years ago
- Assigned To changed from Peter Amstutz to Tom Clegg
Updated by Tom Clegg almost 4 years ago
Named the configs "AuthenticationRequestParameters" to more closely match the relevant openid spec and google docs.
# Send additional parameters with authentication requests. See
# https://developers.google.com/identity/protocols/oauth2/openid-connect#authenticationuriparameters
# for a list of supported parameters.
AuthenticationRequestParameters:
# Show the "choose which Google account" page, even if the
# client is currently logged in to exactly one Google
# account.
prompt: select_account
SAMPLE: ""
# Send additional parameters with authentication requests,
# like {display: page, prompt: consent}. See
# https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
# and refer to your provider's documentation for supported
# parameters.
AuthenticationRequestParameters:
SAMPLE: ""
17335-oidc-auth-params @ 0bcd1ca37a225f37dd52081070c91aa2ba68d49a -- developer-run-tests: #2300
Updated by Tom Clegg almost 4 years ago
Backported to 2.1-dev: 17335-backport-2.1 @ f949cc3c0441b25866ee021af647010622c1c694 -- developer-run-tests: #2304
Updated by Peter Amstutz almost 4 years ago
Tom Clegg wrote:
Named the configs "AuthenticationRequestParameters" to more closely match the relevant openid spec and google docs.
17335-oidc-auth-params @ 0bcd1ca37a225f37dd52081070c91aa2ba68d49a -- developer-run-tests: #2300
This LGTM.
Updated by Peter Amstutz almost 4 years ago
Tom Clegg wrote:
Backported to 2.1-dev: 17335-backport-2.1 @ f949cc3c0441b25866ee021af647010622c1c694 -- developer-run-tests: #2304
The build blew up, I restarted it developer-run-tests: #2306
Updated by Tom Clegg almost 4 years ago
2.1-dev @ 9ceb98dc7d9b0d41283048d9c121a71d2fb950e0 -- developer-run-tests: #2307
2.1-dev @ 9ceb98dc7d9b0d41283048d9c121a71d2fb950e0 -- developer-run-tests: #2308
17335-backport-2.1 @ f949cc3c0441b25866ee021af647010622c1c694 -- developer-run-tests: #2309
Looks like linkchecker is failing on 2.1-dev, everything else passed after a few tries.
Updated by Tom Clegg almost 4 years ago
- Status changed from In Progress to Resolved