OpenID Connect, redirect without login form if not already logged in?

Question

In OpenID Connect, I would like my users to be automatically connected to my client if they are connected to the identity provider (given that they already authorized my client app).

Here is the workflow I want :

• USER arrives on CLIENT homepage
• USER is redirected to IdP (Authorization request)
  • If he's logged in IdP, he's redirected to CLIENT and OIDC workflow begins, then he's logged in CLIENT
  • If he's not logged in IdP or he did not authorize CLIENT to access his identity, the login form of IdP is NOT displayed to USER and he's redirected to CLIENT homepage, not logged in

It would be like "Gateway" mode in CAS. I use Authorization Code Flow and I don't want to use Javascript with Implicit Flow to login through JS dynamically.

Do you know if it is possible ? I can not find it in the spec.

Thanks :)

Answer 1

You are considering SSO behaviour on-top of IDP. This is usually outside OpenID Connect specification and usually bound to specific identity provider you are using (ex:- Azure, PING or WSO2). But there are some parameters to tweak the this behaviour such as prompt and login_hint which are optional.

From OpenID Connect authentication request section

prompt

Space delimited, case sensitive list of ASCII string values that specifies whether the Authorization Server prompts the End-User for reauthentication and consent.

Valid values are login, none, consent and select_account. You can use them to enforce force login or to allow a select account.

login_hint

Hint to the Authorization Server about the login identifier the End-User might use to log in (if necessary)

One good example is enabling SSO behaviour by passing login_hint to identity provider. If identity provider can verify identity against (for example) a corporate LDAP and detect logged in state, you can give credential free login experience. At the same time, you may use prompt=login to enforce a login, even when identity provider hold a logged in session.