Technically, the OpenId Connect prompt is a parameter that can be included in the authentication request to control the behavior of the authentication flow. The prompt parameter allows a relying party (RP) to request specific interactions with the user during the authentication process.
Why and When using the OpenId Connect prompt?
Using OpenId Connect prompts, the Relying Party (RP) can customize the authentication and authorization flow to suit their specific needs and improve the user experience.
The main intent behind using a prompt is to change the behavior of the flow depending on what the application need. In the case of a critical application or a critical action, you may want the user to authenticate again.
The first prompts introduced by OpenId Connect are described in the OpenId Connect Core 1.0 Specs. Let's now describe them a bit more below.
None Prompt
The none
prompt is used to silently authenticate the user without prompting for any action. This prompt skips prompting login and consent only when the user has previously granted consent to the application and has an active session of course.
The behavior depends on each OpenID provider (OP). Some OP like Google OpenId Connect, will return an error when the user is not authenticated or has not already granted the scopes for this application.
For other OP, the none
prompt is like a default behavior asking to authenticate only when there is no existing session and asking consent only when one or more scopes have not been previously granted.
An authorization request with none
prompt looks like this:
GET /authorize?client_id=abcd1234&redirect_uri=https://mydomain.com/callback&scope=openid%20profile&response_type=id_token&prompt=none HTTP/1.1
Host: cerberauth.com
Login Prompt
The login
prompt requires the user to log in to the authentication provider. In other words, this prompt forces the user re-authentication. Some OpenID provider (OP) can invalidate OP sessions when the login prompt is asked.
The login
prompt can be used for critical action or to force a user to change. Some OP does not support having multiple accounts, so different subjects, for the same session. A change of account may require making an authorization request with a login
prompt to invalidate the first session in place.
An authorization request with login
prompt looks like this:
GET /authorize?client_id=abcd1234&redirect_uri=https://mydomain.com/callback&scope=openid%20profile&response_type=id_token&prompt=login HTTP/1.1
Host: cerberauth.com
Consent Prompt
The consent
prompt asks the user to explicitly consent to the scopes requested by the application requesting authentication. In this case, consent will be asked even if the scope has been granted previously for the application.
An authorization request with consent
prompt looks like this:
GET /authorize?client_id=abcd1234&redirect_uri=https://mydomain.com/callback&scope=openid%20profile&response_type=id_token&prompt=consent HTTP/1.1
Host: cerberauth.com
Select Account Prompt
The select_account
prompt is a special prompt that allows the user to select from multiple accounts associated with the authentication provider. This prompt is typically used in scenarios where the user has multiple identities or personas within the same authentication provider.
For example, a user may have both a personal and a work-related identity associated with their authentication provider. The "select_account" prompt allows the user to select the appropriate identity for the current session.
An authorization request with select_account
prompt looks like this:
GET /authorize?client_id=abcd1234&redirect_uri=https://mydomain.com/callback&scope=openid%20profile&response_type=id_token&prompt=select_account HTTP/1.1
Host: cerberauth.com
User Registration Prompt
The create
prompt is the newest one and is introduced in this new OpenId Connect Spec about prompt create and published in December 2022.
Because the application has just been released and you know the user has no created account yet, or just because you know that most of your users are new, you may want to remove interaction during onboarding. For this reason, it can be convenient to ask the OP to show the registration page first.
This prompt has been created more for User Experience thanks to some years of implementation experiences and feedback.
An authorization request with create
prompt looks like this:
GET /authorize?client_id=abcd1234&redirect_uri=https://mydomain.com/callback&scope=openid%20profile&response_type=id_token&prompt=create HTTP/1.1
Host: cerberauth.com
When designing an authentication flow with OpenID Connect, it's important to carefully consider which prompts to use and how they will affect the user experience and security posture of the application. By following best practices and staying up-to-date with the latest developments in the OpenID Connect specification, relying-parties (RP) can create secure and user-friendly authentication experiences that meet the needs of their users and business requirements.