Bug #17335
closed
OpenID Connect 'prompt' parameter should be configurable
Added by Peter Amstutz almost 4 years ago.
Updated almost 4 years ago.
Release relationship:
Auto
Description
When controller redirects the user to the OpenID Connect endpoint, it sets "prompt=select_account". This is supported by Google but with PingFederate it results in a "not supported" error, so the user cannot log in. "prompt" seems to be an optional field in OIDC, so presumably you get default behavior if it isn't explicitly included. The "prompt" value should be configurable, or not added at all when the configuration value is blank.
Suggested behavior:
- Google login continues to use prompt=select_account
- OIDC configuration gets an "ExtraParameters" section that allows providing arbitrary parameters that will be set with AuthURLParam().
Files
- Status changed from New to In Progress
- Description updated (diff)
- Description updated (diff)
- Assigned To changed from Peter Amstutz to Tom Clegg
Named the configs "AuthenticationRequestParameters" to more closely match the relevant openid spec and google docs.
# Send additional parameters with authentication requests. See
# https://developers.google.com/identity/protocols/oauth2/openid-connect#authenticationuriparameters
# for a list of supported parameters.
AuthenticationRequestParameters:
# Show the "choose which Google account" page, even if the
# client is currently logged in to exactly one Google
# account.
prompt: select_account
SAMPLE: ""
# Send additional parameters with authentication requests,
# like {display: page, prompt: consent}. See
# https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
# and refer to your provider's documentation for supported
# parameters.
AuthenticationRequestParameters:
SAMPLE: ""
17335-oidc-auth-params @ 0bcd1ca37a225f37dd52081070c91aa2ba68d49a -- developer-run-tests: #2300 
- Status changed from In Progress to Resolved
Also available in: Atom
PDF
Updated by 
Updated by