When 'authorizationParams.organization' is given on /api/auth/login, user gets logged in silently

[benevbright]

Checklist

• [X] The issue can be reproduced in the nextjs-auth0 sample app (or N/A).
• [X] I have looked into the Readme, Examples, and FAQ and have not found a suitable solution or answer.
• [X] I have looked into the API documentation and have not found a suitable solution or answer.
• [X] I have searched the issues and have not found a suitable solution or answer.
• [X] I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• [X] I agree to the terms within the Auth0 Code of Conduct.

Description

We're using authorizationParams.organization=ORG_ID to bypass organization prompt during login flow.

login handler

export default auth0.handleAuth({
  login: async (req: NextApiRequest, res: NextApiResponse) =>
    auth0.handleLogin(req, res, {
      authorizationParams: {
        invitation: req.query.invitation,
        organization: req.query.organization,
        // prompt: "login",
      },
    }),
})

But I observed weird behaviours

1. launch APP_URL/api/auth/login?organization=xxx in new browser -> fine. starts with ID/PW prompt bypassing the org prompt
2. go to APP_URL/api/auth/login while app is running -> fine. redirected to login prompt (but it goes to the organization prompt as the param is not given)
3. go to APP_URL/api/auth/login?organization=xxx while app is running -> user gets silently logged in regardless of the session is alive or not, which would be a problem

We want to redirect user to the re-login prompt, not silently logging-in. The workaround is using prompt: "login" and now user gets redirected to the ID/PW prompt without problem. But I don't understand the case no.3 and wonder if it's a bug. Why user gets logged in silently?

Reproduction

described above

Additional context

We're using AUTH0_SESSION_AUTO_SAVE=false.

nextjs-auth0 version

3.5.0

Next.js version

13.1

Node.js version

18

[frederikprijck]

Assuming the session being alive or not is refering to the application session, I don't think that's a bug, but definetly not something our SDK controls as it relies on the auth0 session and not the application session.

If you believe it to be a bug (outside of the SDK), please reach out through the corresponding channels (being your account manager, or leaving feedback here: https://auth0.com/feedback).

[benevbright]

as it relies on the auth0 session and not the application session.

@frederikprijck thanks for the response! btw, I was referring to the getSession() result from auth0-nextjs library.