Skip to content

Fix OIDC forced re-authentication by making prompt configurable#967

Open
Jignesh4611 wants to merge 2 commits intothedevs-network:mainfrom
Jignesh4611:main
Open

Fix OIDC forced re-authentication by making prompt configurable#967
Jignesh4611 wants to merge 2 commits intothedevs-network:mainfrom
Jignesh4611:main

Conversation

@Jignesh4611
Copy link
Copy Markdown

@Jignesh4611 Jignesh4611 commented Jan 25, 2026
edited
Loading

Fixed #961

Problem

OIDC login always forces re-authentication because prompt=login is hardcoded, ignoring existing IdP sessions.

Solution

  • Removed hardcoded prompt=login.
  • Made OIDC prompt configurable using OIDC_PROMPT.
  • If empty (default), prompt is not sent and existing sessions are reused.

Behavior

  • Default: silent SSO (no forced login).
  • Optional: force login by setting OIDC_PROMPT=login.

Files changed

  • server/passport.js
  • server/env.js

@grzegorz-wawrzak-ams
Copy link
Copy Markdown

grzegorz-wawrzak-ams commented Mar 28, 2026

Any idea where it can be merged?
Thanks!

@tna76874
Copy link
Copy Markdown

tna76874 commented Apr 8, 2026

Hey there — I also tracked it down to prompt=login to remove the annoying re-login. The suggested change improves usability. If there are no security concerns, it might be merged and bundled in a new release :)

@Jignesh4611
Copy link
Copy Markdown
Author

Jignesh4611 commented Apr 10, 2026

Thanks! This makes prompt configurable and keeps forced login optional via OIDC_PROMPT=login, so no security behavior is lost. Should be safe to merge.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

OIDC login always forces re-authentication (prompt=login), ignoring existing Authelia session

3 participants

@Jignesh4611 @grzegorz-wawrzak-ams @tna76874