In OpenID Connect, I would like my users to be automatically connected to my client if they are connected to the identity provider (given that they already authorized my client app).
Here is the workflow I want :
It would be like "Gateway" mode in CAS. I use Authorization Code Flow and I don't want to use Javascript with Implicit Flow to login through JS dynamically.
Do you know if it is possible ? I can not find it in the spec.
Thanks :)
You are considering SSO behaviour on-top of IDP. This is usually outside OpenID Connect specification and usually bound to specific identity provider you are using (ex:- Azure, PING or WSO2). But there are some parameters to tweak the this behaviour such as prompt and login_hint which are optional.
From OpenID Connect authentication request section
prompt
Space delimited, case sensitive list of ASCII string values that specifies whether the Authorization Server prompts the End-User for reauthentication and consent.
Valid values are login, none, consent and select_account. You can use them to enforce force login or to allow a select account.
login_hint
Hint to the Authorization Server about the login identifier the End-User might use to log in (if necessary)
One good example is enabling SSO behaviour by passing login_hint to identity provider. If identity provider can verify identity against (for example) a corporate LDAP and detect logged in state, you can give credential free login experience. At the same time, you may use prompt=login to enforce a login, even when identity provider hold a logged in session.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With