Environment
- Access Manager 4.4
- Access Manager 4.5.0
- Access Manager 4.5.1
- Access Manager 4.5.2
Situation
- Allow the OAuth Client application to force a re-login (change user) for an existing authenticated users session at the IDP server.
- The prompt parameter does not trigger a re-login at the IDP vers and just gets ignored
- running a test using OpenID instead of pure OAuth works as expected
Resolution
- As a workaround you can use OpenID connect (scope=openid) which fully support the "prompt" parameter as per OpenID Connect Core specification
- An Enhancement Request has been made to add this functionality for future release of NAM
Cause
- RFC6749 does not define "prompt" as a possible parameter used with the Authorization Endpoint
- This parameter has been defined by the OpenID Connect Core specifications only
- As per IANA the following request parameters are defined by the OpenID Connect Core specifications only
- nonce
- display
- prompt
- max_age
- ui_locales
- claims_locales
- id_token_hint
- login_hint
- acr_values
- claims
- registration
- request
- request_uri
- id_token
- session_state
Additional Information
- IANA List of OAuth Parameters: https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml
- There is a draft "OAuth 2.0 User Authentication and Consent For Clients" which should address the prompt parameter at: https://tools.ietf.org/id/draft-hunt-oauth-v2-user-a4c-01.html