Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support the prompt parameter #2208

Open
robotdan opened this issue Apr 12, 2023 · 12 comments
Open

Support the prompt parameter #2208

robotdan opened this issue Apr 12, 2023 · 12 comments
Labels
openid-connect

Comments

@robotdan
Copy link
Member

robotdan commented Apr 12, 2023
edited by jobannon
Loading

Support the prompt parameters

Problem

If you want to use the prompt parameter, you can't. It is sad.

Solution

Support the prompt parameter.

  • none (support for silent authentication)
  • login
  • consent
  • select_account

The login prompt would likely solve the issue requested via #1999.

Alternatives/workarounds

NA

Additional context

OIDC

Silent authentication

An example 3rd party library using this parameter to do a silent "renew"

Auth0 doc for this feature:

Related

Community guidelines

All issues filed in this repository must abide by the FusionAuth community guidelines.

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.
@robotdan robotdan changed the title Support the prompt parameters Support the prompt parameter Apr 12, 2023
@robotdan robotdan mentioned this issue Apr 12, 2023
Closed
@voidmain voidmain mentioned this issue May 2, 2023
Open
@robotdan robotdan mentioned this issue Jun 15, 2023
Open
@smboykin
Copy link

It would be wonderful if this can be implemented, this would make 3rd-party integration with a difficult customer - well - less difficult :)

@jdegger
Copy link

jdegger commented Oct 17, 2023

Is there a roadmap on this? This is basically making it impossible to do a good implementation for our users

@mooreds
Copy link
Collaborator

mooreds commented Oct 17, 2023

Hiya @jdegger , this is not currently on the near term roadmap. Please upvote it (if you haven't already, I don't know how to see individual upvotes).

Here's our general roadmap guidance: https://fusionauth.io/docs/v1/tech/core-concepts/roadmap

Thanks!

@ohEmily
Copy link

ohEmily commented Apr 4, 2024

Just to chime in, my company is also really interested in this. It's a bad look for us right now that our new auth provider doesn't support this (highly visible) white labeling feature for auth applications.

@robotdan
Copy link
Member Author

robotdan commented May 3, 2024
edited
Loading

For all on this thread, are you mostly looking for prompt=none, or do you have use cases for other values?

For some context, here is how I am thinking about each of these prompt values.

none
This would be valuable as a silent check to see if the user has an SSO session. I can appreciate the value here, and seems like something we should support.

login
The use case here I think is to force the user to authenticate again even if an SSO session exists. The scenario I have seen discussed is for this to be used when the user is doing something that may be considered sensitive and you want to force the user to auth again.

The problem is that this parameter doesn't provide any security - the user could simply remove this parameter from the request to bypass this requirement. So if you were to want this feature for this use case, it doesn't seem like it actually offers you any security. It would only be a hope that the user does not modify the URL and then re-use their existing SSO session.

Feel free to comment if you have an opinion on this one, or if there is another use case that you think this solves that would not require any confidence that the user actually re-authenticated.

The way I would think about this - is if you really need the user to re-authenticate, you should perform an in-app step up, or delete the user's SSO session and then redirect them to login to ensure they must login.

One option would be if, if the returned access_token or id_token contained a claim indicating which prompts were requested (and honored) then the implementor could at least prove that they both asked for login and it was completed. But I think this is mostly already possible because today if we honor an existing SSO session, the authenticationType in the access_token will be PING instead of PASSWORD or some other type.

consent
Similar to login, this could simply be removed by the user and then they would not be prompted. We have implemented scope consent through the use of a "3rd party" application setting which forces a prompt based upon configuration instead of a mutable parameter on the URL.

Does anyone have a use case that would require consent, and you wouldn't otherwise be able to use a 3rd party application config, and would want to enable or disable consent on a per request basis? Knowing that the user could intercept this URL and remove or modify this parameter?

select_account

This seems interesting and would allow you to select from multiple active SSO sessions for users in the same FusionAuth tenant. Currently this is not possible. We do support multi-tenant SSO, but if you have more than one user in a tenant, you can only have one active SSO at a time.

Is this specific option interesting to anyone?

Feel free to leave comments for any other specific use cases I'm missing here. Thanks for your interest!

@jdegger
Copy link

jdegger commented May 6, 2024

@robotdan For us, we are looking for the prompt=login variant, the use case is very different from what you are describing. This is important because the solution you are providing is not working as expected.

We are relying on solutions like react-native-app-auth to provide us with the login screen in our app. On iOS we have the option to choose for a private session which makes it possible for us to pick up on the correct user but on Android the login credentials of any existing user are cached and passed through. This results in the wrong user being logged in, which we can not prevent.

The three solutions being provided in the community are (FormidableLabs/react-native-app-auth#723)

  • Logout beforehand: this is not possible because the session is being setup outside of our app and just passed through
  • Use a private tab: works wonderfully on iOS. No working solution on Android as of now.
  • Provide prompt=login to force the login: not supported by FusionAuth.

The use case we are struggling with is as follows:

  1. User A logs in with a SSO provider, all good, no problems
  2. User A logs out from our app. Note that this not invalidate the SSO session at this point.
  3. User B tries to login. He does so by providing his e-mailadres in our app, our app detects through FusionAuth that this is a domain which has been linked to an external SAML provider and thus we need to provide the login screen to the user. However, FusionAuth picks up on the existing SSO session and logs this user in. Even though we have provided a login_hint with a different e-mail address.
  4. The login was now successful, but you are now logged in with a different user session than expected.

The prompt=login would resolve the issue where we can make sure the correct user is signed in, the one we asked for.

@jdegger
Copy link

jdegger commented May 6, 2024

Additionally, this behavior was also described here: #1999

This is linked as a related issue in the original ticket but I do not see this back in your understanding of adding and supporting prompt=login

@alex-fusionauth
Copy link

This would help us add Authentication to other providers like convex. The way that convex currently handles this is to make an additional call to get the accesstoken passing it back to convex.

Example using Auth0
https://github.com/get-convex/convex-js/blob/47343e1c7531233a1782b03223d3f31e90c75623/src/react-auth0/ConvexProviderWithAuth0.tsx#L45

Open PR to add FusionAuth: get-convex/convex-js#13

@robotdan
Copy link
Member Author

Thanks @jdegger for your detailed response, this is very helpful.

@TruDan
Copy link

TruDan commented Jul 3, 2024

prompt=none is the main one for us, for the automatic-silent-renew with react-oidc client. otherwise we have to implement our own gross hacks/workarounds for refreshing the token in other ways. eventually this leads to the SSO session actually expiring since they spend all their time in our app and not fusionauth side, so then when switching to a different application of ours on the same platform they must login again (which we often get complaints about)

@jobannon jobannon mentioned this issue Sep 24, 2024
Open
@jdegger
Copy link

jdegger commented Jan 24, 2025

Hi, it's been almost 2 years since the initial issue creation. Is there an update on this? We are still eagerly waiting for a solution to this problem.

Honestly, we would have switched providers because of this issue if it wasn't a big hassle...

@mooreds
Copy link
Collaborator

mooreds commented Jan 24, 2025

hi @jdegger , thanks for your feedback; I really appreciate it. I also appreciate your comment on which of the various forms of prompt are important to you.

This issue is on our radar (I think it is the most upvoted open issue) but we don't have a firm timeline for the feature we can share.

As you can imagine we're juggling a number of priorities and are trying to balance them all.

@jobannon jobannon mentioned this issue Jan 29, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
openid-connect
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@mooreds @TruDan @robotdan @ohEmily @smboykin @jdegger @alex-fusionauth