OAuth/OIDC fails when prompt=consent or prompt=select_account is used

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Summary

When using GitLab as an OpenID provider, authentication fails if the authentication request uses prompt=consent (when not logged in), prompt=select_account or a combination that contains one of them, e.g. prompt=login consent.

Steps to reproduce

1. Create an OAuth application in your account settings.
2. Setup an OpenID Connect client with the credentials from step 1.
3. Send an authentication request that includes the optional parameter prompt=consent in a fresh browser session (not logged into GitLab)
4. Send an authentication request that includes prompt=select_account

What is the current bug behavior?

• For prompt=consent: a error 500 page appears (tested on gitlab.com)
• For prompt=select_account: the error code invalid_configuration is returned

What is the expected correct behavior?

According to the OpenID Connect spec chapter 3.1.2.1:

• For prompt=consent: The Authorization Server SHOULD prompt the End-User for consent before returning information to the Client.
• For prompt=select_account: The Authorization Server SHOULD prompt the End-User to select a user account.

In both cases at least a fallback to the login prompt (as if prompt=login was specified) could be expected.

Relevant logs and/or screenshots

Error returned in the URL for prompt=select-account:

?error=invalid_configuration&error_description=The+authorization+server+encountered+an+unexpected+condition+which+prevented+it+from+fulfilling+the+request.

Screenshot for prompt=consent:

(Request ID: 01GESPZ70KD4MHN4NPTPZDTQ9A)