Could you advise on the best approach for implementing prompt=none?

[nannany]

I’m using zitadel/oidc and would like to implement support for prompt=none. When considering the implementation on the OP side for the authentication request, I expect the following behavior: if a session already exists, redirect directly to the relying party’s callback endpoint; otherwise, display the login screen.

I believe this conditional branching is best implemented in op.Authorize, which likely involves using op.AuthResponse. However, op.Authorize does not seem to allow passing the necessary arguments to op.AuthResponse.

What would be the appropriate approach to handle this?

[hifabienne]

Hi @nannany
According to the OIDC spec, the prompt=none should never display any authentication or consent screens.
If a user is not authenticated an error should be shown.
https://openid.net/specs/openid-connect-core-1_0.html

[hifabienne]

In the relying party is a function called WithPrompt, you should be able to set it with that

[nannany]

I would like to implement an OpenID Provider (OP), so this is not about the relying party.

For the prompt=none flow, I envision the process as follows:

sequenceDiagram
    participant u as User Agent
    participant r as Relying Party
    participant o as OpenID Provider
    u ->> r: login with prompt=none
    r -->> u: redirect to op
    u ->> o: access Authorization Endpoint
    o ->> o: check session
    note over o: session is valid. user is authenticated
    o ->> o: constructing the callback URL
    o -->> u: redirect to rp callback endpoint
    note over u: the following omitted

Loading

I believe that constructing the callback URL should be handled within op.Authorize. If there are any implementation examples or guidance on this, I would like to refer to them.

[hifabienne]

Let me tag @muhlemmer and @livio-a I think they are able to help you better than me

[muhlemmer]

In our product ZITADEL we pin the useragent to the user. When there is exactly one SSO session active, we set the userinfo when creating the Auth Request:

https://github.com/zitadel/zitadel/blob/6780c5a07ca491690e0af6d8baeac9aa5d69cabe/internal/auth/repository/eventsourcing/eventstore/auth_request.go#L173-L176

https://github.com/zitadel/zitadel/blob/6780c5a07ca491690e0af6d8baeac9aa5d69cabe/internal/auth/repository/eventsourcing/eventstore/auth_request.go#L740-L757

At that point the user is redirected to the login UI URL. The login UI will retrieve the auth request and sees prompt == none. Then it will use the /auth/callback URI to send the user back the the OIDC library.

https://github.com/zitadel/zitadel/blob/6780c5a07ca491690e0af6d8baeac9aa5d69cabe/internal/auth/repository/eventsourcing/eventstore/auth_request.go#L1034-L1037

The AuthorizeCallback handler then must check all requirements are fulfilled:

oidc/pkg/op/auth_request.go

Lines 418 to 440 in 9f7cbb0

	func AuthorizeCallback(w http.ResponseWriter, r *http.Request, authorizer Authorizer) {
	ctx, span := tracer.Start(r.Context(), "AuthorizeCallback")
	r = r.WithContext(ctx)
	defer span.End()
	id, err := ParseAuthorizeCallbackRequest(r)
	if err != nil {
	AuthRequestError(w, r, nil, err, authorizer)
	return
	}
	authReq, err := authorizer.Storage().AuthRequestByID(r.Context(), id)
	if err != nil {
	AuthRequestError(w, r, nil, err, authorizer)
	return
	}
	if !authReq.Done() {
	AuthRequestError(w, r, authReq,
	oidc.ErrInteractionRequired().WithDescription("Unfortunately, the user may be not logged in and/or additional interaction is required."),
	authorizer)
	return
	}
	AuthResponse(authReq, authorizer, w, r)
	}

Note that the actual checks happen in the GetAuthRequestByID. In our implementation the above nextSteps function is called again, but this time the checkLoggedIn flag is true. This time we check there is a userID in the auth request and that the user is still active etcetera:

https://github.com/zitadel/zitadel/blob/6780c5a07ca491690e0af6d8baeac9aa5d69cabe/internal/auth/repository/eventsourcing/eventstore/auth_request.go#L1038-L1047

[nannany]

Thank you for providing the implementation example.

Based on the above example, I understand that the sequence would proceed as follows:

sequenceDiagram
    participant u as User Agent
    participant r as Relying Party
    participant o as OpenID Provider
    note over u: omitted
    u ->> o: access Authorization Endpoint with prompt=none
    o ->> o: check session
    note over o: session is valid. user is authenticated
    o -->> u: redirect to /auth/callback
    u ->> o: access /auth/callback
    o -->> u: redirect to relying party's redirect_uri
    u ->> r: access redirect_uri
    note over u: the following omitted

Loading

---

I understand that the /auth/callback endpoint on the OpenID Provider is outside the scope of the OIDC specification and is a unique mechanism specific to zitadel/oidc.

From reviewing the proposal, it appears that support for /auth/callback will be removed in version 4. Do you have any expectations or recommendations on how to handle this change when it occurs?

[muhlemmer]

Well, it should be possible for a login implementation to redirect the user directly to the application upon fulfilling the last step.
As mentioned in the issue, because of the storage interface requirement, we needed the redirect back to OIDC to mark the auth request as completed.

In the future we want to use the Server interface instead. In that case the handling of the auth request and related storage can be implemented freely by the consumer and it's easier to complete the flow.