Status Update
No update yet.
Comments
jp...@google.com
Generated Metadata
- Summary: The
prompt=loginparameter in Google's OIDC implementation isn't forcing re-authentication as per the OIDC specification. This feature request is to implement the re-authentication prompt to enhance security, especially in environments like K12 where unauthorized access is a concern. - Tags:
Additional resources:
https://developers.google.com/workspace/add.../connect-third-party-service https://developers.google.com/workspace/guides/configure-oauth-consent https://developers.google.com/apps-script/concepts/scopes https://stackoverflow.com/questions/tagged/google-workspace?tab...6 https://developers.google.com/apps-script/api/how-tos/enable
You can
bl...@google.com
jh...@sps-k12.com
As I've shared this with peers I've realized I probably should have categorized this as a bug. My bad.
jp...@google.com
In my understanding, while the OIDC spec dictates behaviors for a given prompt value, those requirements are conditional on that prompt being supported by the authorization server.
Looking for a better component for this issue, but not finding one. This search,
ho...@gmail.com
I agree, I couldn't find a better place for this. It's also annoying that openid.net seems to be down with a 503 today, but you can still view the link above on the wayback machine at
The Authorization Server SHOULD prompt the End-User for reauthentication. If it cannot reauthenticate the End-User, it MUST return an error, typically login_required.
Reading MUST and SHOULD according to RFC2119 (
In any case, the former behavior is certainly preferable, as I described in the Impact section. Microsoft SSO, for example, does implement this functionality, and some of our customers have thought about a switch to Microsoft-based products purely over this concern.
Description
Description
The OIDC specification (athttps://openid.net/specs/openid-connect-core-1_0.html ) states that when the
promptparameter is set tologin:However, the Google SSO workflow doesn't seem to conform to this part of the OpenID Connect specification, despite claiming to do so athttps://developers.google.com/identity/openid-connect/openid-connect .
In other words, when an SSO button's href includes
...&prompt=login, the user SHOULD be prompted to enter their password again before returning to the original site. However, while that parameter does not produce an error, it also seems to do nothing.Impact
This issue has led to trouble in the K12 sector, where students are likely to take even small windows of opportunity to "prank" each other by changing important settings in apps if a peer turns away from their device momentarily. Implementing this part of the OIDC specification would allow apps to re-validate users immediately before changing important settings or viewing private information, just as Google does in certain parts of its own Workspace application.