Implement prompt=none when having a custom interception script?

[polsson12]

Hi,

Can you give some hints on how to implement a silent authentication flow when the RP is adding the query param prompt=none in the authz request?

Is Janssen supposed to handle that out of the box when I have a custom interception script for the given client and acr?

If not, how should it be implemented in the authenticator?

Thanks!

[polsson12]

Hi again,

It seems like the session_id cookie is changing its value between when the RP is accessing the jans-auth/authorize endpoint. Can it be related to that?

This happens even when Im settting change_session_id_on_authentication = false

I tried to debug in the interception script what really happens, and it seems that it cannot find an existing session when the RP is coming back to /authorize?...

code:

boolean loggedIn = identity1.isLoggedIn();
User user = identity1.getSessionId().getUser();

log.info("Session: {}", identity1.getSessionId());
log.info("Got user: {}, logged in: {}", user, loggedIn);

Says user null, loggedIn False.
Also the get.SessionId prints another sessionID compared to when authentication was first accepted by:
boolean authenticated = authenticationService.authenticate(user.getUserId());
which gives true back.

Any ideas?

[yuriyz]

We have quite detailed documentation for prompt=none, see https://docs.jans.io/v1.4.0/janssen-server/auth-server/openid-features/prompt-parameter/#prompt-none

If user is already authenticated then successful response will be returned. If user was not authenticated then error is returned.
Also double check "sessionIdPersistOnPromptNone" AS configuration property is set to true.

Please check this commit which shows how to use ROPC at Authorization Endpoint.
04b000c#diff-82aed3535d4316c2822e52c092db81961294f7d9db853fd59a7ea4e955d290be

In other words you can use prompt=none and ROPC for silent user authentication if this is what use case is.

[polsson12]

Hi @yuriyz,

Thanks for getting back to me.
Is prompt=none only available in the ROPC flow?

My use case isn't ROPC flow, but rather a OIDC flow with an external authenticator (inbound openid connect provider).
I've checked the sessionIdPersistOnPromptNone and it's set to true.

[polsson12]

I've read it many times, but I must be missing something.

Do I need to provide the user credentials in the headers? I don't have have the user credentials because the user is authenticating at an external IdP.

[yuriyz]

Ok, questions:

1. when authorization request with prompt=none is sent, is user authenticated?
2. if no, what inside request leads to user identification?
   My assumption was that authenticated user can be set inside ROPC script, so on authorization with prompt=none AS can get valid authenticated session.

[yuriyz]

In other words ROPC custom script can authenticate user against external IdP.

[polsson12]

I just want to take a few steps back first.
Given that I have a custom script that handles the authentication of the user (sending one-time-code to external IdP, validating ID token etc). What steps should I take after that in order to fully authenticate the user? What I do now is:

1. Create or fetch existing user from DB
2. authenticationService.authenticate(user.getUserId()); // returns true;
3. return true from the authenticate(Map<String, SimpleCustomProperty> configurationAttributes, Map<String, String[]> requestParameters, int step) method

Your questions:

1. After authentication as described above, a request is made against to jans-auth/authorize?prompt=none&... I see:
   something like this in the prepareForStep method (step 1):

Session: SessionId {dn='jansId=3a87346f-251b-4c6b-a1a6-4c9b12f958d6,ou=sessions,o=jans', id='3a87346f-251b-4c6b-a1a6-4c9b12f958d6', outsideSid='9f37d153-d994-4a5d-9c1f-87ef802fb988', lastUsedAt=Wed Mar 19 13:45:49 GMT 2025, userDn='', authenticationTime=Wed Mar 19 13:45:49 GMT 2025, state=unauthenticated, expirationDate=Wed Mar 19 14:05:49 GMT 2025, sessionState='f035b78731d50bfb30c5d486270dc34164c3b0c6f6ca67603ecbcbbbfa9577ce.38a7f91d-cacc-4257-a3f8-e60352f823e1', permissionGranted=null, permissionGrantedMap=SessionIdAccessMap{permissionGranted={XXX}}, sessionAttributes={auth_step=1, acr=YYY, login_hint=some_hint, remote_ip=XXX, opbs=ef83c15b-aab1-44af-93af-80a78ec715c6, acr_values=YYY, response_type=code, redirect_uri=<redirect_uri>, state=80fa08b1-4761-4833-b400-0b8bebae0106, prompt=none, client_id=<cleint>, response_mode=query}, persisted=true, deviceSecrets=[]}

obviously is the state unauthenticated above, why is that?

2. Sorry I don't understand this question, I don't use the ROPC flow.

I was under the impression that janssen session cookie keeps track of if the user is authenticated or not given that a successfull attempt has been done before, and that session_id_lifetime, session_unused_lifetime has not expired and that other settings like session_id_persist_on_prompt_none = true, invalidate_session_cookies_after_authorization_flow = false.

General question:
When using custom scripts, am I supposed to handle the prompt=none logic inside my script, or should janssen be able to handle it "out of the box"?

[yuriyz]

Hmm, I guess I'm confused now. Ok, lets step back

prompt=none is supported by AS and as described in docs works in following way:

• if user is authenticated -> successful response is returned
• if user is not authenticated -> error is returned

This works out of the box and no any changes are needed.
Here is what OIDC spec says about prompt=none

The Authorization Server MUST NOT display any authentication or consent user interface pages. An error is returned if an End-User is not already authenticated or the Client does not have pre-configured consent for the requested Claims or does not fulfill other conditions for processing the request. The error code will typically be login_required, interaction_required, or another code defined in [Section 3.1.2.6](https://openid.net/specs/openid-connect-core-1_0.html#AuthError). This can be used as a method to check for existing authentication and/or consent.

From here what do you want to change ?

[nynymike]

For non-browser authentication, you should use the Authorization Challenge endpoint. Even better is to write an Agama Flow to handle the business logic. See this docs page: https://docs.jans.io/head/janssen-server/developer/agama/native-applications/

Here's a sample app written in Python an TK: https://github.com/GluuFederation/agama-native/tree/main/registration