Skip to content

fix(Oauth): use prompt=login instead of prompt=consent for OIDC tests#402

Closed
ydfdas1f546g1df wants to merge 2 commits into
Forceu:masterfrom
ydfdas1f546g1df:bug/oidc-401
Closed

fix(Oauth): use prompt=login instead of prompt=consent for OIDC tests#402
ydfdas1f546g1df wants to merge 2 commits into
Forceu:masterfrom
ydfdas1f546g1df:bug/oidc-401

Conversation

@ydfdas1f546g1df

Copy link
Copy Markdown

Issue: #401

Description

Fix OAuth authentication to comply with OIDC standards by replacing prompt=consent with prompt=login.

According to the OpenID Connect Core 1.0 specification, the prompt parameter accepts specific values: none, login, consent, and id_token. However, for OIDC flows, prompt=login is the correct choice when requiring re-authentication, as prompt=consent is deprecated and not recommended by OIDC best practices. The login prompt parameter ensures the user is authenticated at the OpenID Provider, even if they have an active session.

This change aligns the implementation with:

Related Issue: [Reference issue if applicable]

Type of Change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Documentation update
  • Refactor / Chore

Technical Details

  • Database changes: No
  • Storage backend affected: No
  • Usage of AI: Yes to write git commit message / pullrequest

How Has This Been Tested?

  • Unit Tests: Existing OAuth tests updated and verified with go test ./internal/webserver/authentication/oauth/...
  • Manual Testing: OIDC authentication flow tested with standard providers
  • Environment: Linux

Checklist

  • I have performed a self-review of my own code.
  • I have commented my code, particularly in hard-to-understand areas.
  • I have made corresponding changes to the documentation.
  • My changes generate no new warnings.

Changes Made

  • Updated Oauth_test.go test assertions to expect prompt=login instead of prompt=consent
  • Implementation already correctly used prompt=login for OIDC compliance

@Forceu

Forceu commented May 12, 2026

Copy link
Copy Markdown
Owner

Thanks for the issue/PR.

Unfortunately login forces the user to re-enter the password for most OIDC providers, even if a session already exists. In your case select_account would probably be a better alternative, although I have to do some testing with that, as (at least a couple of years ago), that caused some other problems as well.

I would be open to add an option to chose between consent and select_account. Can you please report back, if select_account works for you as well?

@Forceu

Forceu commented May 18, 2026

Copy link
Copy Markdown
Owner

Superseded by 66ff9e6

@Forceu Forceu closed this May 18, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants