Oidc-client-js: signinSilent overwrite prompt parameter

Created on 29 Jun 2017  路  13Comments  路  Source: IdentityModel/oidc-client-js

I'm using oidc-client with Angular2 app and IdentityServer3, where I have auto login using NTLM.

I want to use silent login to log user in as there is no interaction needed but when I try to do it IS3 throws error with info: "prompt=none was requested. But user is not authenticated.": https://github.com/IdentityServer/IdentityServer3/blob/master/source/Core/ResponseHandling/AuthorizeInteractionResponseGenerator.cs#L138

I tried to set prompt in oidc-client by paramter but signinSilent method ignores it and set it as "none":
https://github.com/IdentityModel/oidc-client-js/blob/dev/src/UserManager.js#L138

There were identital issue for oidc-token-manager lib: https://github.com/IdentityModel/oidc-token-manager/issues/12

Can the same fix be applied for it?

question
Source
picture j4ro

All 13 comments

Possibly. I forget why you'd want to do an iframe without prompt=none, though.

brockallen picture brockallen on 29 Jun 2017

I think you mean that prompt=none in invisible iframe is logical cause you don't want to show any prompt for user. Unfortunately in OpenId spec there is:

prompt
OPTIONAL. Space delimited, case sensitive list of ASCII string values that specifies whether the Authorization Server prompts the End-User for reauthentication and consent. The defined values are:
none
The Authorization Server MUST NOT display any authentication or consent user interface pages. An error is returned if an End-User is not already authenticated or the Client does not have pre-configured consent for the requested Claims or does not fulfill other conditions for processing the request. The error code will typically be login_required, interaction_required, or another code defined in Section 3.1.2.6. This can be used as a method to check for existing authentication and/or consent.

So according to "An error is returned if an End-User is not already authenticated" IS3 throws an error if I try to log in with promp=none parameter.

And of course iframe is much convenient solution than popup or redirect when I don't need user interaction for log in.

j4ro picture j4ro on 30 Jun 2017

So according to "An error is returned if an End-User is not already authenticated" IS3 throws an error if I try to log in with promp=none parameter.

In what way? At IdSvr3, or as a error response back to the client?

brockallen picture brockallen on 11 Aug 2017

Well from JS client side I have on network tab:

https://localhost:44300/connect/authorize?client_id=js&redirect_uri=http%3A%2F%2Flocalhost%3A56668%2Fpopup.html&response_type=id_token&scope=openid%20profile&state=ca97bffb49734238ba848d565b6a1f78&nonce=8c0d4919b4a64f2a99a4a474a539a6d5&prompt=none

and error in redirect back from IdSvr3:

http://localhost:56668/popup.html#error=login_required&state=d5cb21eda34547dd965e4cc8dfac688d

j4ro picture j4ro on 16 Aug 2017

Not sure if this relates to you, but I had the same issue and my problem was that my client had Require Consent on. Once I turned that off that message went away.

dturska picture dturska on 9 Sep 2017

scratch my earlier comment. My issue is that the signinSilent function in the UserManager is forcing args.prompt = "none". I have a parent app and a iframe app in it. Users can't get into the iframe app unless they are logged into the main app. So when the iframe app logs in it should send prompt="login" . The user will not see any login screen because identity has already been established when they logged into the main app.

dturska picture dturska on 10 Sep 2017

@j4ro yes that error tells you that the user must login. the error message is sent back to the client. i don't think the STS is showing anything, as per the spec.

@dturska The semantics of signinSilent are specifically to use prompt=none. This is by design. It's not meant to be used in a visible iframe.

brockallen picture brockallen on 23 Sep 2017

All set on this issue -- can we close?

brockallen picture brockallen on 30 Sep 2017

@brockallen
So there is still fixed prompt=none parameter in signinSilent?

Just to be clear this method works perfectly for token renewing, but if you are using it to logging in:

  • when you are using signinSilent OIDC Client sets prompt=none (even if it was set in settings to different value),
  • ID3 checks if you already signed:(https://github.com/IdentityServer/IdentityServer3/blob/master/source/Core/ResponseHandling/AuthorizeInteractionResponseGenerator.cs#L133)
  • if you are not signed but provides prompt=none you get this error:(https://github.com/IdentityServer/IdentityServer3/blob/master/source/Core/ResponseHandling/AuthorizeInteractionResponseGenerator.cs#L138)

So if it is not designed to be used to first log in, we can close it. Otherwise it should be an option to provide this parameter.

j4ro picture j4ro on 1 Oct 2017

It's designed to make authorization requests in a hidden iframe, so yes, this means always pass prompt=none. So you can use it to renew tokens, but you can also use it to "login" to the client if the user already has a session at the token server. There's also an API querySessionStatus to query the user's session at the token server.

brockallen picture brockallen on 1 Oct 2017
👍1

I'm facing the same issues when sending prompt=none to the IDP. The response it require_login. However, when I remove the prompt=none it is working fine. So, I think the signinSilent should allow overwriting it.

baoduy picture baoduy on 16 May 2018
👍1

@baoduy It would made my life so much easier cause I ended with editing this prompt=none inside downloaded package every time.

j4ro picture j4ro on 16 May 2018
👍1

I will make a full request for this change

baoduy picture baoduy on 16 May 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

pawepaw picture pawepaw  路  3Comments
tamias picture tamias  路  3Comments
wsimf picture wsimf  路  4Comments
tomeinar picture tomeinar  路  3Comments
baoduy picture baoduy  路  4Comments