Feature Request
Is your feature request related to a problem or unsupported use case? Please describe.
Currently, when a user already has an active session, there is no way to force them to re-authenticate. This is problematic in scenarios, as Security-sensitive actions require fresh authentication (re-auth for confirming identity).
Without support for forcing re-login, users are automatically signed in with their existing session, which bypasses the intended authentication step.
Describe the solution you'd like
Add support for the OIDC-standard prompt=login parameter. When this parameter is passed in the authorization request, the identity provider should:
- Ignore any existing active session for the user
- Force the user to re-enter their credentials (re-authenticate)
- Proceed with the normal authentication flow afterward
This aligns with the OpenID Connect Core 1.0 spec, which defines prompt=login as: "The Authorization Server SHOULD prompt the End-User for reauthentication."
Other valid values from the spec (consent, select_account) could also be considered, but prompt=login is the primary need here. none is already supported.
Feature Request
Is your feature request related to a problem or unsupported use case? Please describe.
Currently, when a user already has an active session, there is no way to force them to re-authenticate. This is problematic in scenarios, as Security-sensitive actions require fresh authentication (re-auth for confirming identity).
Without support for forcing re-login, users are automatically signed in with their existing session, which bypasses the intended authentication step.
Describe the solution you'd like
Add support for the OIDC-standard
prompt=loginparameter. When this parameter is passed in the authorization request, the identity provider should:This aligns with the OpenID Connect Core 1.0 spec, which defines
prompt=loginas: "The Authorization Server SHOULD prompt the End-User for reauthentication."Other valid values from the spec (
consent,select_account) could also be considered, butprompt=loginis the primary need here.noneis already supported.