Open hauntingEcho opened 5 years ago
Actually it shall be possible to configure any valid value for prompt. They are there for reason. I, for example, need to set it to "login"
@hauntingEcho @ibaskine Since Spring Security 5.1, you do have the ability to customize the Authorization Request by including additional parameter(s) (e.g. prompt) using a custom implementation of OAuth2AuthorizationRequestResolver
. Please see the ref doc on how to do this.
Either way, I'm going to leave this ticket open as it addresses support for using the prompt
parameter to asynchronously refresh the session in the background as outlined in the session management spec.
@jgrandja @hauntingEcho I have a requirement to keep the user logged in until the application session expires. However, the identity provider's access token is valid for 10 hours, therefore the user is logged out after 10 hours while the application session is still active.
Could this prompt
feature potentially solve my problem?
Summary
Some workflows in OpenID Connect are dependent on being able to use
prompt=none
to asynchronously refresh the session in the background. In particular, the draft specs for session management depend on the ability to useprompt=none
via requests in a hidden iframe (see section 4.1). This is analogous to usingisPassive
in a SAML2AuthnRequest
.In order to do that in a web application using spring-security, the
OAuth2AuthorizationRequestResolver
in use needs to be able to send theprompt=none
flag when redirecting a user to an upstream identity provider when non-interactivity is requested by a user. This would also imply that a mechanism would be needed by which clients can request non-interactive session refreshes (which could theoretically share behavior between OIDC & other backing systems such as SAML)Currently, there is no support for this in
DefaultOAuth2AuthorizationRequestResolver
, which is used by default when configuring an OpenID Connect login flow. See also some discussion of this in #6742Configuration
in the
WebSecurityConfigurerAdapter
:in Spring-boot properties:
Version
5.1.5 (via spring-boot 2.1.4)