English

oidc
prompt
auth
authentication flow
oidc prompt

OIDC Prompt 101: A simple guide for developers

OIDC prompt is a parameter that can be used to control the behavior of the authentication flow. This blog post explains how OIDC prompt works and which one to use in different scenarios.

Charles

Developer

3/18/20242 min read

Stop wasting weeks on user auth

Launch secure apps faster with Logto. Integrate user auth in minutes, and focus on your core product.

Get started

OIDC Prompt 101: A Simple Guide for Developers

Introduction

In our journey through the OIDC protocol, we've explored many corners, but one area that consistently deserves attention is the OIDC prompt. This little parameter holds big importance in steering authentication flow.

In this blog post, we'll break down the OIDC prompt, looking at what it does and why it matters for developers.

Understanding OIDC prompt

At its core, OIDC prompt is a parameter that developers can include in authentication requests to instruct the OpenID Connect provider on how to handle the authentication process. It essentially serves as a directive, guiding the provider on how to interact with the user during authentication.

Prompt options

Login: The login prompt instructs the OpenID Connect provider to force the user to log in, even if they have an existing authenticated session. This is particularly useful in scenarios where re-authentication is necessary for sensitive operations or to ensure the user's identity hasn't changed since their last login. Note: In Logto, if only Login prompt is specified, no refresh token will be issued to the client.
Consent: When developers include the consent prompt, the OpenID Connect provider requests the user's consent before releasing their information to the client application. This helps in fostering transparency and ensuring that users have control over their data. A typical consent screen in Logto
Select account: The select account prompt enables users to choose from multiple accounts linked to their identity. This is common in scenarios where users have associated various profiles or personas with a single identity and need to specify which one to use for authentication.
None: The none prompt instructs the OpenID Connect provider not to interact with the user. If the user's session is not currently authenticated or requires additional steps, the provider responds with an error, indicating that the request cannot be completed without user interaction.

Combining prompts

You can mix prompts to create custom login experiences. For example, using both Login and Consent prompts means users have to log in and say "yes" before accessing certain stuff. It's extra security plus being upfront about data access.

Implications for developers

Understanding the OIDC prompt is key for developers working with OIDC. It helps make logins smooth and safe. By using prompt options wisely, developers can tweak logins to fit their app's needs while keeping user privacy and security in mind.

We hope this guide has shed some light for you. If you have any questions or thoughts, feel free to join our Discord channel and chat with us!

Join Discord

OIDC Prompt 101: A Simple Guide for Developers

Introduction

In this blog post, we'll break down the OIDC prompt, looking at what it does and why it matters for developers.

Understanding OIDC prompt

Prompt options

Login: The login prompt instructs the OpenID Connect provider to force the user to log in, even if they have an existing authenticated session. This is particularly useful in scenarios where re-authentication is necessary for sensitive operations or to ensure the user's identity hasn't changed since their last login. sign-in page

Note: In Logto, if only Login prompt is specified, no refresh token will be issued to the client.

Consent: When developers include the consent prompt, the OpenID Connect provider requests the user's consent before releasing their information to the client application. This helps in fostering transparency and ensuring that users have control over their data. consent page

A typical consent screen in Logto

Select account: The select account prompt enables users to choose from multiple accounts linked to their identity. This is common in scenarios where users have associated various profiles or personas with a single identity and need to specify which one to use for authentication.

None: The none prompt instructs the OpenID Connect provider not to interact with the user. If the user's session is not currently authenticated or requires additional steps, the provider responds with an error, indicating that the request cannot be completed without user interaction.

Combining prompts

Implications for developers

We hope this guide has shed some light for you. If you have any questions or thoughts, feel free to join our Discord channel and chat with us!

OIDC Prompt 101: A Simple Guide for Developers#

Introduction#

Understanding OIDC prompt#

Prompt options#

Combining prompts#

Implications for developers#

OIDC Prompt 101: A Simple Guide for Developers#

Introduction#

Understanding OIDC prompt#

Prompt options#

Combining prompts#

Implications for developers#

OIDC Prompt 101: A Simple Guide for Developers

Introduction

Understanding OIDC prompt

Prompt options

Combining prompts

Implications for developers

OIDC Prompt 101: A Simple Guide for Developers

Introduction

Understanding OIDC prompt

Prompt options

Combining prompts

Implications for developers