We have an application that we use the authorization code flow to authenticate users. It’s been working up to now, but as of a couple of days ago, when a user who has previously logged in, tries to login from the “Last time you logged in with” hosted login UI, they are redirected back to the Auth0 /login
endpoint (the /authorize
request returns with a 302 and a “location” header for /login?...
instead of redirecting to our app’s redirect_uri
), which just shows the login UI for the “Last time you logged in with” again. If the user selects “Not your account?” and logs in with their (prefilled) credentials, they are logged in and redirected to our app as expected. We currently set the /authorize
parameter prompt='consent'
in our authorization request parameters.
Nothing has changed on our end (application code or our Auth0 application configuration.) We have several Auth0 tenants and they all are experiencing the same issue. I can “fix” the problem by removing the the prompt
parameter altogether, but leaving it as consent
or setting it to login
causes the redirect issue. To be honest, I can find almost no documentation on the what the prompt
parameter does other than the API docs mentioning how to do silent authentication. Based-on the documentation, I would expect clearing the prompt
parameter to perform silent authentication and not show the login screen if a user has a valid session token, but that doesn’t seem to be the case?
Has anything changed with the authorization code flow based-on the prompt
parameter? Is there any configuration settings combination that might cause the behavior I’m seeing with pre-existing login UI not redirecting properly? And, also, what does prompt='consent'
actually do (I didn’t write the Auth0 config, so I’m not sure why it was set to this value initially.)
Thanks for any help!
Cheers,
James