prompt=unspecified as part of authentication url when login via idp

[joranb]

Before reporting an issue

• [X] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

oidc

Describe the bug

I think there might be a bug when configuring an IDP.

From the OIDC spec: https://openid.net/specs/openid-connect-core-1_0.html

prompt OPTIONAL. Space-delimited, case-sensitive list of ASCII string values that specifies whether the Authorization Server prompts the End-User for reauthentication and consent. The defined values are: none The Authorization Server MUST NOT display any authentication or consent user interface pages. An error is returned if an End-User is not already authenticated or the Client does not have pre-configured consent for the requested Claims or does not fulfill other conditions for processing the request. The error code will typically be login_required, interaction_required, or another code defined in Section 3.1.2.6. This can be used as a method to check for existing authentication and/or consent. login The Authorization Server SHOULD prompt the End-User for reauthentication. If it cannot reauthenticate the End-User, it MUST return an error, typically login_required. consent The Authorization Server SHOULD prompt the End-User for consent before returning information to the Client. If it cannot obtain consent, it MUST return an error, typically consent_required. select_account The Authorization Server SHOULD prompt the End-User to select a user account. This enables an End-User who has multiple accounts at the Authorization Server to select amongst the multiple accounts that they might have current sessions for. If it cannot obtain an account selection choice made by the End-User, it MUST return an error, typically account_selection_required.

I can not see anything on "unspecified".

When setting up an IDP via this url: https://{keycloak_server_url}/admin/master/console/#/{realm}/identity-providers/oidc/{idp_name}/settings it seems like the default value of prompt is "unspecified". But the "unspecified" option specifies prompt=unspecified as part of the url. That broke our integration against Signicat for instance, and can not see that it is part of the OIDC spec. The prompt should probably be unspecified (literally, by not being included in the url).

This is the url we got:

https://myidpurl.com/auth/open/connect/authorize?acr_values=idp:nbid nbid_idp:BIS&scope=openid nin&state=pjoZMwbHnsGj8cbxlhZgLW8eEd5awwCYp2R9Fu1aMAU.LT6MJkmXNL8.fxJy3z16Q7qLiovECr_XIQ&response_type=code&client_id=myClientId&redirect_uri=https://myKeyCloakUrl/realms/myRealm/broker/bankid/endpoint&prompt=unspecified&nonce=HyH2DN8h-l16v994K_S_GA

Setting prompt to "login" fixed the issue for us, so apparently Signicat changed their way of handling the prompt value. But from OIDC documentation it seems like it is Keycloak that is handling this wrong since "unspecified" does not seem to be a valid value of prompt.

Version

24.0.1

Regression

• [ ] The issue is a regression

Expected behavior

I think the correct behavior would be to leave the value prompt out altogether when choosing "unspecified" from the dropdown in the admin console.

Actual behavior

It provides prompt=unspecified as part of the url.

How to Reproduce?

Set up an idp in Keycloak and make sure prompt is set to "unspecified", then try to login to a client using that idp and inspect the auth url.

Anything else?

No response

[rmartinc]

Hi @joranb!

There was a bug in the UI in version 19 that sent unspecified to the configuration https://github.com/keycloak/keycloak/issues/18105. But that was fixed for 21. So now if you set unspecified it should save empty in that config option and nothing should be sent (or the original prompt value in the first interaction with keycloak). Please check what value you really have in the config, if it is unspecified change it to `` again using the console, maybe you come from an old version of keycloak with that bug present.

[keycloak-github-bot[bot]]

Thanks for reporting this issue, but there is insufficient information or lack of steps to reproduce.

Please provide additional details, otherwise this issue will be automatically closed within 14 days.

[joranb]

@rmartinc Thanks for the swift response. It does seem to work with the unspecified option now, after setting the value to something else (like login) and switching it back. It then works as expected, we have upgraded all the way from 19, so that option was untouched till now.

[rmartinc]

Thanks @joranb! Then it's clear that was issue #18105. You have set it at that time and it was in the configuration until now. Closing the issue.