OIDC prompt is a parameter that can be used to control the behavior of the authentication flow. This blog post explains how OIDC prompt works and which one to use in different scenarios.
Introduction
In our journey through the OIDC protocol, we've explored many corners, but one area that consistently deserves attention is the OIDC prompt. This little parameter holds big importance in steering authentication flow.
In this blog post, we'll break down the OIDC prompt, looking at what it does and why it matters for developers.
Understanding OIDC prompt
At its core, OIDC prompt is a parameter that developers can include in authentication requests to instruct the OpenID Connect provider on how to handle the authentication process. It essentially serves as a directive, guiding the provider on how to interact with the user during authentication.
Prompt options
- Login: The login prompt instructs the OpenID Connect provider to force the user to log in, even if they have an existing authenticated session. This is particularly useful in scenarios where re-authentication is necessary for sensitive operations or to ensure the user's identity hasn't changed since their last login.
Note: In Logto, if only Login prompt is specified, no refresh token will be issued to the client.
- Consent: When developers include the consent prompt, the OpenID Connect provider requests the user's consent before releasing their information to the client application. This helps in fostering transparency and ensuring that users have control over their data.
A typical consent screen in Logto
- Select account: The select account prompt enables users to choose from multiple accounts linked to their identity. This is common in scenarios where users have associated various profiles or personas with a single identity and need to specify which one to use for authentication.
- None: The none prompt instructs the OpenID Connect provider not to interact with the user. If the user's session is not currently authenticated or requires additional steps, the provider responds with an error, indicating that the request cannot be completed without user interaction.
Combining prompts
You can mix prompts to create custom login experiences. For example, using both Login and Consent prompts means users have to log in and say "yes" before accessing certain stuff. It's extra security plus being upfront about data access.
Implications for developers
Understanding the OIDC prompt is key for developers working with OIDC. It helps make logins smooth and safe. By using prompt options wisely, developers can tweak logins to fit their app's needs while keeping user privacy and security in mind.
We hope this guide has shed some light for you. If you have any questions or thoughts, feel free to join our Discord channel and chat with us!