I’m using Portainer with Okta as an OAuth backend, using the External authentication extension. It’s working decently, but Okta is demanding that I re-authenticate when logging in to Portainer. I tracked this down to Portainer requesting the extra re-authentication via prompt=login. From strings(1):
Looking at the OIDC specification, as this is an optional parameter - is there a good reason for why it’s explicitly set to prompt=login? It seems that the flexible option would be to omit it and leave the policy decision re extra authentication, if any, to the IdP.