OAuth Client Application fails on forcing a re-login at IDP by using the optional "prompt=login" parameter

  • 7024648
  • 28-May-2020
  • 29-May-2020


  • Access Manager 4.4
  • Access Manager 4.5.0
  • Access Manager 4.5.1
  • Access Manager 4.5.2


  • Allow the OAuth Client application to force a re-login (change user) for an existing authenticated users session at the IDP server.

  • The prompt parameter does not trigger a re-login at the IDP vers and just gets ignored

  • running a test using OpenID instead of pure OAuth works as expected


  • As a workaround you can use OpenID connect (scope=openid) which fully support the "prompt" parameter as per  OpenID Connect Core specification

  • An Enhancement Request has been made to add this functionality for future release of NAM


  • RFC6749 does not define "prompt" as a possible parameter used with the Authorization Endpoint

  • This parameter has been defined by the OpenID Connect Core specifications only

  • As per IANA the following request parameters are defined by the OpenID Connect Core specifications only

    • nonce
    • display
    • prompt
    • max_age
    • ui_locales
    • claims_locales
    • id_token_hint
    • login_hint
    • acr_values
    • claims
    • registration
    • request
    • request_uri
    • id_token
    • session_state

Additional Information