IBM Security Verify

 View Only
  • 1.  OIDC - Authentication Request - support of prompt=select_account

    Posted Mon November 29, 2021 08:58 AM
    Hi,

    We would like to know if the following request parameter (prompt=select_account) is supported within the Authorization Code Flow in ISVA 10.0.3?
    https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest

    We want to use this in ISVA 10.0.1 and are getting the following error:

    OAuth20InvalidRequestException: FBTOAU244E An invalid prompt value was provided.
    -> Ensure that the request prompt parameter value is either none, login or consent.

    Kind regards,
    Kevin De Win
    IS4U

    ------------------------------
    Kevin De Win
    Security Consultant
    IS4U
    ------------------------------


  • 2.  RE: OIDC - Authentication Request - support of prompt=select_account

    Posted Tue November 30, 2021 04:02 AM
    No changes in this respect in 10.0.3. Please open an RFE if you have not done so already.

    ------------------------------
    Shane Weeden
    IBM
    ------------------------------



  • 3.  RE: OIDC - Authentication Request - support of prompt=select_account

    Posted Wed December 01, 2021 06:08 AM
    Hi Kevin,

    This is a bit of an "out-there" idea, but I'm trying to creatively think about how you could get past your current blocking problem. Consider a HTTP transformation rule on the /authorize endpoint that modified the URI, renaming "prompt=xxx" to "myprompt=xxx", when "xxx" is any value that you want to support by that ISVA doesn't currently support. This would avoid the current error validation that is taking place, and allow you to implement an access policy that then looks for "myprompt" and processes it in the manner you wish.

    ------------------------------
    Shane Weeden
    IBM
    ------------------------------