CerberAuth
OpenID Connect Prompts: Full list with examples
Technically, the OpenID Connect prompt is a parameter that can be included in the authentication request to control the behavior of the authentication flow. The prompt parameter allows a relying party (RP) to request specific interactions with the user during the authentication process.
Why and When using the OpenID Connect prompt?
Using OpenID Connect prompts, the Relying Party (RP) can customize the authentication and authorization flow to suit their specific needs and improve the user experience.
The main intent behind using a prompt is to change the behavior of the flow depending on what the application need. In the case of a critical application or a critical action, you may want the user to authenticate again.
TL;DR - The OpenID Connect Prompt
Here is a quick summary of the OpenID Connect prompt values. Please note that the behavior of each prompt may vary depending on the OpenID provider (OP) implementation. Read next sections for more details about each prompt.
| Prompt Value | Description | When to use | Example |
|---|---|---|---|
| none | Silent authentication | When the user has previously granted consent to the application and has an active session. Can be used to check if the user has an active session. | prompt=none |
| login | Force the user to log in | For critical actions or to force a user to change | prompt=login |
| consent | Ask the user to consent | To ask consent even if the scope has been granted previously | prompt=consent |
| select_account | Allow the user to select an account | When the user has multiple accounts associated with the authentication provider | prompt=select_account |
| create | Ask the OP to show the registration page first | When you know the user has no created account yet | prompt=create |
None Prompt
Thenoneprompt is used to silently authenticate the user without prompting for any action. This prompt skips prompting login and consent only when the user has previously granted consent to the application and has an active session of course.
The behavior depends on each OpenID provider (OP). Most of the OP (example: Google OpenID Connect), will return an error when the user is not authenticated or has not already granted the scopes for this application.
For other OP, the none prompt is like a default behavior asking to authenticate only when there is no existing session and asking consent only when one or more scopes have not been previously granted.
An authorization request with none prompt looks like this:
GET /authorize?prompt=none&client_id=abcd1234&redirect_uri=https://mydomain.com/callback&scope=openid%20profile&response_type=id_token HTTP/1.1
Host: cerberauth.com
Login Prompt
The login prompt requires the user to log in to the authentication provider. In other words, this prompt forces the user re-authentication. Some OpenID provider (OP) can invalidate OP sessions when the login prompt is asked.
The login prompt can be used for critical action or to force a user to change. Some OP does not support having multiple accounts, so different subjects, for the same session. A change of account may require making an authorization request with a login prompt to invalidate the first session in place.
An authorization request with login prompt looks like this:
GET /authorize?prompt=login&client_id=abcd1234&redirect_uri=https://mydomain.com/callback&scope=openid%20profile&response_type=id_token HTTP/1.1
Host: cerberauth.com
Consent Prompt
The consent prompt asks the user to explicitly consent to the scopes requested by the application requesting authentication. In this case, consent will be asked even if the scope has been granted previously for the application.
An authorization request with consent prompt looks like this:
GET /authorize?prompt=consent&client_id=abcd1234&redirect_uri=https://mydomain.com/callback&scope=openid%20profile&response_type=id_token HTTP/1.1
Host: cerberauth.com
Select Account Prompt
The select_account prompt is a special prompt that allows the user to select from multiple accounts associated with the authentication provider. This prompt is typically used in scenarios where the user has multiple identities or personas within the same authentication provider.
For example, a user may have both a personal and a work-related identity associated with their authentication provider. The "select_account" prompt allows the user to select the appropriate identity for the current session.
An authorization request with select_account prompt looks like this:
GET /authorize?prompt=select_account&client_id=abcd1234&redirect_uri=https://mydomain.com/callback&scope=openid%20profile&response_type=id_token HTTP/1.1
Host: cerberauth.com
User Registration / Create Prompt
The create prompt is the newest one and is introduced in this new OpenID Connect Spec about prompt create and published in December 2022.
Because the application has just been released and you know the user has no created account yet, or just because you know that most of your users are new, you may want to remove interaction during onboarding. For this reason, it can be convenient to ask the OP to show the registration page first.
This prompt has been created more for User Experience thanks to some years of implementation experiences and feedback.
An authorization request with create prompt looks like this:
GET /authorize?prompt=create&client_id=abcd1234&redirect_uri=https://mydomain.com/callback&scope=openid%20profile&response_type=id_token HTTP/1.1
Host: cerberauth.com
When designing an authentication flow with OpenID Connect, it's important to carefully consider which prompts to use and how they will affect the user experience and security posture of the application. By following best practices and staying up-to-date with the latest developments in the OpenID Connect specification, relying-parties (RP) can create secure and user-friendly authentication experiences that meet the needs of their users and business requirements.
