Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Expose prompt option in login method #3759

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Expose prompt option in login method #3759

wants to merge 2 commits into from

Conversation

NoelDeMartin
Copy link
Contributor

This PR is mostly a feature request, but I figured I'd open a PR with the changes to propose a solution.

The feature request is basically to expose the prompt option in the login. I always thought that working with various Solid PODs was annoying because they asked for confirmation in every page reload, but recently I realized it's actually the expected behaviour because this library sends the "consent" prompt parameter during the authentication request. This is done internally, so it would be nice to expose this to clients and let them decide how to behave.

Currently, this can be bypassed using the prompt parameter anyways, and telling Typescript to ignore the problem. But there is another issue. Eventually, the prompt parameter is resolved using a null coalescing operator that defaults to "consent". This is a problem because in some implementations (for example, in Laravel), there is a distinction between using "none" or omitting the parameter altogether. There should be a way to explicitly avoid sending the parameter, even if the default behaviour is to use "consent".

@NoelDeMartin NoelDeMartin requested a review from a team as a code owner October 31, 2024 14:21
@NoelDeMartin NoelDeMartin changed the title Expose prompt option Expose prompt option in login method Oct 31, 2024
@NSeydoux
Copy link
Contributor

NSeydoux commented Nov 5, 2024

Hi @NoelDeMartin, thanks for the suggestion.

The reason for this prompt parameter to be hard-coded is because it is mandatory when requesting the offline_access scope, which results in a refresh token being issued. Without this refresh token, the session is only good for the duration of the issued Access Token, whish is (purposefully) short.

My concern with the proposed change is that the consequences of opting out of the prompt parameter are not quite clear to a developer, and it may result in confusion when the users starts being logged out after 5 minutes (lifespan of the token).

For me to make sure I'm understanding the problem properly, when exactly are you getting prompted for consent? That should happen when logging in the first time, and then again when you do a "full" logout (as in, terminating the session on the OpenID Provider, not only on the client), but in between as long as you're using the same client, if you are "only" logging out of the app you should not get prompted again. I may only be applicable if you're using a Client Identifier though (because the consent is given to one specific client, so when using dynamic client registration, prompt is asked on each login).

@NoelDeMartin
Copy link
Contributor Author

You can reproduce the behaviour I'm talking about in this app: https://ramen.noeldemartin.com.

Every time I reload the app, I am redirected to ESS and I see this:

image

Ideally, once I have already consented, I wouldn't be shown that screen again. The log in is implemented here, in case you want to see how I'm using the library: https://github.com/NoelDeMartin/aerogel/blob/main/packages/plugin-solid/src/auth/authenticators/InruptAuthenticator.ts

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@NoelDeMartin @NSeydoux