prompt usage has been disabled in 1.1.3 for auto-login | Proposals to fix prompt usage in a future NLX version

[gdestuynder]

See also: #87 where prompt was disabled for NLX 1.1.3

TLDR:

• RP GET /authorize.. 302
• ... GET /login
• we detect there is no prompt setting and that we should try autologin and we 302
• .. GET /authorize?prompt=none
• Account is a Google account, auth0 302 to google
• GET google.com/authorize?prompt=none <= promp param is forwarded by auth0 here
• google 302 to auth0 callback with access_denied code (which is not a valid OpenID Connect code)
• auth0 302 to the RP forwarding the error code
• User is stuck/ can't login

Possible fixes:
A) Google sends a valid error code such as login_required or interaction_required and auth0 sees it, then retries with prompt=login (this might already work, but I haven't tested) (most preferred)

B) We disable the Google social connector, add a new custom connector that uses Google OIDC and drop the prompt= param ourselves, or handle the return code ourselves

C) We don't follow standard and don't implement prompt (least preferred)
Note:
GitHub may suffer from the same issue, not tested.

[gene1wood]

Another fix to explore

D) Contact Auth0 support to ask if there's any way to configure Auth0 to not pass on the prompt=none argument to the Google IDP

[hidde]

This has been fixed with solution (C) because it was needed to make autologin work with Firefox Accounts. That has also fixed the issue for Google.

Closing this for now, certainly happy to review/improve at a later stage.