OAuth flow, redundant login prompt

I’m using Portainer with Okta as an OAuth backend, using the External authentication extension. It’s working decently, but Okta is demanding that I re-authenticate when logging in to Portainer. I tracked this down to Portainer requesting the extra re-authentication via prompt=login. From strings(1):

response_type=code&client_id=%s&redirect_uri=%s&scope=%s&prompt=login

Looking at the OIDC specification, as this is an optional parameter - is there a good reason for why it’s explicitly set to prompt=login? It seems that the flexible option would be to omit it and leave the policy decision re extra authentication, if any, to the IdP.

Per request, this is tracked in https://github.com/portainer/portainer/issues/3342

1 Like