Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support OpenID Connect 1.0 prompt=none parameter #501

Closed
ufkl opened this issue Nov 17, 2021 · 6 comments
Closed

Support OpenID Connect 1.0 prompt=none parameter #501

ufkl opened this issue Nov 17, 2021 · 6 comments
Assignees
@jgrandja
Labels
type: enhancement A general enhancement
Milestone
1.4.0-M1

Comments

@ufkl
Copy link

ufkl commented Nov 17, 2021
edited
Loading

Expected Behavior
To support silent authentication on Authorization Code Flow with PKCE.
Reference: https://auth0.com/docs/login/configure-silent-authentication

Current Behavior
Single Page Application(SPA) is public client. As it can't hold secret, the SPA need integrate with Authorization Server using Authorization Code Flow with PKCE. When access token is expired, SPA need to redirect users to Authorization Server to begin new Authorization Code Flow, result a bad user experience.
@ufkl ufkl added the type: enhancement A general enhancement label Nov 17, 2021
@jgrandja jgrandja changed the title Authorization Code Flow with PKCE in conjunction with Silent Authentication Support OpenID Connect 1.0 prompt parameter Dec 8, 2021
@jgrandja jgrandja added the status: on-hold We can't start working on this issue yet label Dec 8, 2021
@jgrandja
Copy link
Collaborator

jgrandja commented Dec 8, 2021
edited
Loading

@ufkl We'll look at adding support for the prompt parameter when we start adding further support for OpenID Connect 1.0. At the moment, we have higher priority items we're working on. We will get to this but it will take some time.

See prompt parameter in 3.1.2.1. Authentication Request

@asiercamara
Copy link

Hello,

I just wanted to ask if there is any update on the implementation of this feature in the project. The support for the prompt=none parameter would be very useful to enable silent authentication without interrupting the user in SPA applications.

(Maybe related to #211 work)

Thank you for your time and attention.

@jgrandja
Copy link
Collaborator

@asiercamara No updates so far. Given that this feature currently has 4 upvotes, it's on the lower priority scale. We prioritize features for the next release based on upvotes and other factors.

@jgrandja jgrandja mentioned this issue Apr 19, 2023
Closed
@jgrandja jgrandja moved this to Planning in Spring Security Team May 27, 2023
kuzjka added a commit to kuzjka/spring-authorization-server that referenced this issue Sep 3, 2023
@kuzjka
Adds support for OIDC 'prompt=none' parameter value
ddef09d 
This change provides limited support for OIDC 'prompt' parameter for authorization code requests.
If the request contains 'prompt' parameter and it's value is 'none', authorization server does not redirect user to login/consent page. Instead, OAuth2 error is returned in redirect to client app.

Fixes spring-projectsgh-501 (partially)
@kuzjka kuzjka mentioned this issue Sep 3, 2023
Closed
@kuzjka
Copy link

kuzjka commented Sep 3, 2023

Hello,

If providing support only for prompt=none parameter is an option, I can suggest #1351 to fix it.

As a workaround, currently we use custom AuthenticationEntryPoint for this case with corresponding request filters.

@jgrandja jgrandja mentioned this issue Oct 27, 2023
Open
@jgrandja jgrandja mentioned this issue Feb 26, 2024
Closed
@thingersoft thingersoft mentioned this issue Apr 17, 2024
Closed
@jgrandja jgrandja mentioned this issue Jul 22, 2024
Closed
@jgrandja jgrandja changed the title Support OpenID Connect 1.0 prompt parameter Support OpenID Connect 1.0 prompt=none parameter Jul 22, 2024
@jgrandja jgrandja self-assigned this Jul 22, 2024
@jgrandja jgrandja removed the status: on-hold We can't start working on this issue yet label Jul 22, 2024
@jgrandja jgrandja moved this from Planning to In Progress in Spring Security Team Jul 22, 2024
@jgrandja jgrandja added this to the 1.4.0-M1 milestone Jul 22, 2024
@jgrandja
Copy link
Collaborator

jgrandja commented Aug 8, 2024
edited
Loading

This is now merged via 19dfcd4.

This commit adds support for prompt=none only. It does not add support for login, consent or select_account.

There are no plans to add support for login or select_account since this specific flow is the responsibility of the authentication sub-system, which is a separate system from the authorization server. See this comment for further details.

We may consider adding support for prompt=consent (related gh-1422) at a later point.

@jgrandja jgrandja moved this from In Progress to Done in Spring Security Team Aug 8, 2024
@dciarniello
Copy link

dciarniello commented Aug 23, 2024
edited
Loading

I understand how select_account would be the responsibility of the authentication sub-system, I don't understand how that applies to login. How does the flow get to the authentication system if the authorization doesn't set the authenticated state to false when prompt=login?

@jgrandja jgrandja mentioned this issue Dec 16, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jgrandja jgrandja

Labels
type: enhancement A general enhancement
Projects
Spring Security Team
Status: Done
Milestone
1.4.0-M1
Development

No branches or pull requests
5 participants
@ufkl @kuzjka @jgrandja @dciarniello @asiercamara