OpenID Connect Prompts: Full list with examples

Technically, the OpenID Connect prompt is a parameter that can be included in the authentication request to control the behavior of the authentication flow. The prompt parameter allows a relying party (RP) to request specific interactions with the user during the authentication process.

Why and When using the OpenID Connect prompt?

Using OpenID Connect prompts, the Relying Party (RP) can customize the authentication and authorization flow to suit their specific needs and improve the user experience.

The main intent behind using a prompt is to change the behavior of the flow depending on what the application need. In the case of a critical application or a critical action, you may want the user to authenticate again.

TL;DR - The OpenID Connect Prompt

Here is a quick summary of the OpenID Connect prompt values. Please note that the behavior of each prompt may vary depending on the OpenID provider (OP) implementation. Read next sections for more details about each prompt.

Prompt ValueDescriptionWhen to useExample
noneSilent authenticationWhen the user has previously granted consent to the application and has an active session. Can be used to check if the user has an active session.prompt=none
loginForce the user to log inFor critical actions or to force a user to changeprompt=login
consentAsk the user to consentTo ask consent even if the scope has been granted previouslyprompt=consent
select_accountAllow the user to select an accountWhen the user has multiple accounts associated with the authentication providerprompt=select_account
createAsk the OP to show the registration page firstWhen you know the user has no created account yetprompt=create

None Prompt

Thenoneprompt is used to silently authenticate the user without prompting for any action. This prompt skips prompting login and consent only when the user has previously granted consent to the application and has an active session of course.

The behavior depends on each OpenID provider (OP). Most of the OP (example: Google OpenID Connect), will return an error when the user is not authenticated or has not already granted the scopes for this application.

For other OP, the none prompt is like a default behavior asking to authenticate only when there is no existing session and asking consent only when one or more scopes have not been previously granted.

An authorization request with none prompt looks like this:

GET /authorize?prompt=none&client_id=abcd1234&redirect_uri=https://mydomain.com/callback&scope=openid%20profile&response_type=id_token HTTP/1.1
Host: cerberauth.com

Login Prompt

The login prompt requires the user to log in to the authentication provider. In other words, this prompt forces the user re-authentication. Some OpenID provider (OP) can invalidate OP sessions when the login prompt is asked.

The login prompt can be used for critical action or to force a user to change. Some OP does not support having multiple accounts, so different subjects, for the same session. A change of account may require making an authorization request with a login prompt to invalidate the first session in place.

An authorization request with login prompt looks like this:

GET /authorize?prompt=login&client_id=abcd1234&redirect_uri=https://mydomain.com/callback&scope=openid%20profile&response_type=id_token HTTP/1.1
Host: cerberauth.com

The consent prompt asks the user to explicitly consent to the scopes requested by the application requesting authentication. In this case, consent will be asked even if the scope has been granted previously for the application.

An authorization request with consent prompt looks like this:

GET /authorize?prompt=consent&client_id=abcd1234&redirect_uri=https://mydomain.com/callback&scope=openid%20profile&response_type=id_token HTTP/1.1
Host: cerberauth.com

Select Account Prompt

The select_account prompt is a special prompt that allows the user to select from multiple accounts associated with the authentication provider. This prompt is typically used in scenarios where the user has multiple identities or personas within the same authentication provider.

For example, a user may have both a personal and a work-related identity associated with their authentication provider. The "select_account" prompt allows the user to select the appropriate identity for the current session.

An authorization request with select_account prompt looks like this:

GET /authorize?prompt=select_account&client_id=abcd1234&redirect_uri=https://mydomain.com/callback&scope=openid%20profile&response_type=id_token HTTP/1.1
Host: cerberauth.com

User Registration / Create Prompt

The create prompt is the newest one and is introduced in this new OpenID Connect Spec about prompt create and published in December 2022.

Because the application has just been released and you know the user has no created account yet, or just because you know that most of your users are new, you may want to remove interaction during onboarding. For this reason, it can be convenient to ask the OP to show the registration page first.

This prompt has been created more for User Experience thanks to some years of implementation experiences and feedback.

An authorization request with create prompt looks like this:

GET /authorize?prompt=create&client_id=abcd1234&redirect_uri=https://mydomain.com/callback&scope=openid%20profile&response_type=id_token HTTP/1.1
Host: cerberauth.com

When designing an authentication flow with OpenID Connect, it's important to carefully consider which prompts to use and how they will affect the user experience and security posture of the application. By following best practices and staying up-to-date with the latest developments in the OpenID Connect specification, relying-parties (RP) can create secure and user-friendly authentication experiences that meet the needs of their users and business requirements.

Resources

Did you find this article valuable?

Support CerberAuth by becoming a sponsor. Any amount is appreciated!