Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

"prompt" parameter not set correctly during authentication

See original GitHub issue

The MSAL for Android allows to provide a Prompt parameter during interactive token requests by using SingleAccountPublicClientApplication.signIn or by providing AcquireTokenParameters. Possible Prompt parameters are: [SELECT_ACCOUNT, LOGIN, CONSENT, WHEN_REQUIRED]. As per documentation of the MSAL for Android’s code those should map to their OIDC specification counterparts: [select_account, login, consent, none].

Of those mentioned prompt parameters, all seem to work as expected, except for the WHEN_REQUIRED Prompt. The javadoc states the following:

/**
 * acquireToken will not send the prompt parameter to the authorize endpoint.  The user may be prompted to login or to consent as required by the request.
 */

After a Prompt WHEN_REQUIRED is supplied it is later overridden by the MSAL when creating the InteractiveTokenCommandParameters in the CommandParametersAdapter.createInteractiveTokenCommandParameters method using the following code segment:

private static OpenIdConnectPromptParameter getPromptParameter(@NonNull final AcquireTokenParameters parameters) {
    if (parameters.getPrompt() == null || parameters.getPrompt() == Prompt.WHEN_REQUIRED) {
        return OpenIdConnectPromptParameter.SELECT_ACCOUNT;
    } else {
        return parameters.getPrompt().toOpenIdConnectPromptParameter();
    }
}

It seems there is no option to provide the OIDC specification’s prompt=none parameter and therefore there is no way of performing an authentication without the need for the user to input their credentials during login, even though there might be a valid session provided by the browser. You can also observe the set prompt parameter by inspecting the resulting authentication url opened in the Browser/CustomTab.

In fact, even when fixing the above code segment the Prompt.toOpenIdConnectPromptParameter() method never results in an OpenIdConnectPromptParameter.NONE parameter since it seems to not support a Prompt.WHEN_REQUIRED.

MSAL Version: 1.6.0

Issue Analytics

State:
Created 3 years ago
Comments:5 (4 by maintainers)

Top GitHub Comments

1reaction

kreedulacommented, Aug 7, 2020

Thank you for reporting this. I have added a backlog item to fix or infact see if we can add support for prompt = none

0reactions

tanmaymanolkar1commented, Sep 22, 2020

Closing this issue, since fix has been rolled out. the following library versions have the fix The Msal version : 2.0.1 The common version : 3.0.2

Top Results From Across the Web

Issue with prompt parameter and OpenId spec #3640 - GitHub

The error code will typically be login_required, interaction_required, or another code defined in Section 3.1.2.6. This can be used as a method ...

AD FS ignores the "prompt=login" parameter during an ...

This problem occurs because the default prompt federation behavior is to convert the prompt=login parameter to wauth=password&wfresh=0 during the federation.

Can't validate access token via OAuth2/OpenID Connect with ...

According to the spec The prompt parameter can be used by the Client to make sure that the End-User is still present for...

Use prompt=none - Ping Identity Support Portal

I have read in the doc that `prompt` parameter is supported ... We are not getting any error at all, when we send...

Configure Silent Authentication - Auth0

This response is indistinguishable from a login performed directly without the prompt=none parameter. Error responses. If the user was not logged in via...