When to use prompt=login and how to handle it? OpenID Connect-CodePudding

I need to implement prompt=login in OIDC provider, but I really don't have idea how to do it. Should we log out and display login form to re authenticate user? It seems bad idea for me because in this case any client is able to logout any user (it seems very strange for me).

What's more, I don't see any advantages of using prompt=login. After all, you always can use prompt=none to check if user is still logged in, and if is then verify received userid from id_token with currently logged user in client.

So how OIDC provider should handle prompt=login and when prompt=none is useful?

CodePudding user response：

PROMPT PARAMETER

To use the prompt parameter, just include it in your authentication request:

GET https://login.example.com/oauth/v2/authorize?
client_id=my-client&
redirect_uri=https://www.example.com&
prompt=login ...

The prompt=login option is often used when logout is problematic, eg in some mobile scenarios. In this case an app can simply remove its tokens, then redirect with this parameter set.

The max-age parameter is also related, to force re-authentication when a certain time has passed, rather than implementing logout.

Another use case might be a redirect for a currently logged in user, to get tokens with a higher privilege, eg a payment scope.

DELEGATIONS

When a particular user and client authenticate, the authorization server creates a delegation, for the client_id and subject. An SSO cookie is a pointer to all such delegations the user agent has created.

So given these delegations, and a prompt parameter ...

User 1 and Client A
User 2 and Client A
User 1 and Client B

... it should only impact the current client and user, and update that delegation. Whether this works entirely correctly may depend on the provider though.