OAuth/OIDC fails when prompt=consent or prompt=select_account is used
Summary
When using GitLab as an OpenID provider, authentication fails if the authentication request uses prompt=consent
(when not logged in), prompt=select_account
or a combination that contains one of them, e.g. prompt=login consent
.
Steps to reproduce
- Create an OAuth application in your account settings.
- Setup an OpenID Connect client with the credentials from step 1.
- Send an authentication request that includes the optional parameter
prompt=consent
in a fresh browser session (not logged into GitLab) - Send an authentication request that includes
prompt=select_account
What is the current bug behavior?
- For
prompt=consent
: a error 500 page appears (tested on gitlab.com) - For
prompt=select_account
: the error codeinvalid_configuration
is returned
What is the expected correct behavior?
According to the OpenID Connect spec chapter 3.1.2.1:
- For
prompt=consent
: The Authorization Server SHOULD prompt the End-User for consent before returning information to the Client. - For
prompt=select_account
: The Authorization Server SHOULD prompt the End-User to select a user account.
In both cases at least a fallback to the login prompt (as if prompt=login
was specified) could be expected.
Relevant logs and/or screenshots
Error returned in the URL for prompt=select-account
:
?error=invalid_configuration&error_description=The+authorization+server+encountered+an+unexpected+condition+which+prevented+it+from+fulfilling+the+request.
Screenshot for prompt=consent
:
(Request ID: 01GESPZ70KD4MHN4NPTPZDTQ9A)
Edited by Christoph Grenz