Openid, Prompt=Login not working when windows integrated auth in

Hi,

Prompt=Login is not working.

The user is already logged in but needs another explicit confirmation so our application ask the user to confirm by forcing login again. To acheive that we set Prompt=login.
But it does not work. Here below are we found in the network round trip.

GET /oauth2/v1/authorize?response_type=code&client_id=0oa2kgb008ukz4vin0i7&redirect_uri=http://localhost&scope=openid profile email&state=1002282471569536143144216209158&prompt=login HTTP/1.1
Response HTTP/1.1 302 Found

GET /login/login.htm?fromURI=/oauth2/v1/authorize/redirect?okta_key=GtU7buqsETw6JtrFhSXqky1F6pizayusKszcbXG3qq8 HTTP/1.1

During the second GET, we lost the prompt=login and that uses the existing session.
Is this a bug?. Do we have a workaround?

Regards,
Murali S

Hi @muralitharan

If the user does not have an active session, an okta_key is generated and the path that the user accessed (/oauth2/v1/authorize?response_type…) is linked to the okta_key.

Once the user authenticates, the okta_key is checked in the database, the path is returned, user is redirected back to it and the okta_key is deleted from the database.

Thanks for the reply about okta key.

My main question was what happened to prompt=login parameter.

Why was it missed?

Hi @muralitharan

The okta_key parameter is stored along with the other parameters and path inside the database and linked with the okta_key that is generated and brought in the front-end.

Once you authenticate, you are redirected to the original path with has all the parameters previous requested including prompt=login.

It does make sense and also NOT.

Prompt = login parameter is something needs to be used during the authentication. It enforces the user to enter the credentials instead of using existing session. If OKTA uses after successful authentication there is no sense.

Basically Prompt parameter is not working as per openid/oauth standard.

I think the problem is specifically when windows integrated authentication is enabled.

2 Likes

Okta doesn’t pass the “prompt” parameter to the external Google IdP (Google and Microsoft require select_account instead of login for the prompts). It leads to the automatic logins and it is a serious security breach.

The Auth0.com has a special parameter upstream_params for the similar issue Pass Parameters to Identity Providers which solves this problem.

There is also an issue in the Okta Help Center: Okta Help Center (Lightning) but the provided link doesn’t have any mentions about additional IdP parameters:
Add an external Identity Provider | Okta Developer