Seeing "Last time you logged in with" during authorization code grant for API

I am seeing the hosted “Last time you logged in with” while executing the authorization code grant for an API.

The steps I am using are below. The interactions are between a .Net web forms client and .Net Web API.

  1. Log in to the web forms app using hosted Auth0 login page.
  2. After redirect back to web forms application, redirect back to Auth0 to hit user consent page and obtain authorization code.

It’s at this point I see the “Last time you logged in with” just before the consent screen is presented. I have “Use Auth0 instead of the IdP to do Single Sign On” turned on on the client application.

I’m trying to determine if I have something configured incorrectly, or if this is a something that is not ready on the Auth0 side. Both the web forms app and the API are first party(company I work for owns and controls both). I also have the “Allow Skipping User Consent” on the API as the desired result is to see no logins/prompts while executing the flow. With this enabled we do not see the user consent page, but the hosted “Last time you logged in with” persists.

At the moment, the default behavior when you redirect to the hosted login page and the user already has an existing session is to show the UI you refer to where the user is informed of the currently active session and can choose to proceed with that session or login with another user account.

You can control this behavior by including prompt=none in the request; this means that if a session already exists and can be used to complete the authentication step then there is no user interaction required and the session is automatically used. Have in mind that in this mode, if there’s no session that can be reused the request also automatically fails. You can read more about this option at the silent authentication docs.

Additionally, it should also be possible to do a single request that both authenticates the user and issues a grant that can be used to obtain tokens for your own API; this is usually accomplished by including the audience parameter during the authentication request. The benefit of doing it at the same is that it saves you a request.

Thank you for the info