No "prompt" param in oidc connection URL even when "promptType" is set

[deanmax]

Preflight Checklist

• I agree to follow the Code of Conduct that this project adheres to.
• I have searched the issue tracker for an issue that matches the one I want to file, without success.
• I am not looking for support or already pursued the available support channels without success.

Version

2.41.1

Storage Type

Kubernetes

Installation Type

Official Helm chart

Expected Behavior

Using oidc connector, with connector.config.promptType=fido2, I expect dex would append prompt=fido2 in the URL while calling the backend OIDC provider, but observed that no prompt param exist in the request URL

Actual Behavior

request URL should have prompt=fido2 in /oauth/authorize call against backend OIDC provider

Steps To Reproduce

1. Config dex with below configurations
2. Using kubectl oidc-login command to auth against dex

kubectl oidc-login get-token --oidc-issuer-url=https://my-dex-server.com --oidc-client-id=kube_dev_public --oidc-extra-scope=email

3. In pop out browser window, the url will look like this

https://my-backend-oidc-provider.com/ui/sso_login?client_id=kube_dev_4&prompt=&redirect_uri=https%3A%2F%2Fmy-dex-server.com%2Fcallback&response_type=code&scope=openid&state=pudloovmh7mx5i7hiw4ytuvcw

Additional Information

No response

Configuration

issuer: https://my-dex-server.com

    connectors:
      - type: oidc
        id: my-oidc-provider
        name: my-oidc-provider
        config:
          issuer: https://my-backend-oidc-provider.com

          clientID: kube_dev_4
          clientSecret: $DEX_CLIENT_SECRET

          redirectURI: https://my-dex-server.com/callback
          promptType: fido2
          insecureSkipEmailVerified: true
          insecureEnableGroups: true
          scopes:
            - openid
          userNameKey: sub
          claimMapping:
            email: sub 

    web:
      http: 0.0.0.0:5556

    oauth2:
      responseTypes: ["code", "token", "id_token"]
      skipApprovalScreen: true

    storage:
      type: memory

    staticClients:
      - id: kube_dev_public
        public: true
        name: "Kubectl CLI client"
        redirectURIs:
          - http://localhost:8000 # kubectl oidc-login local callback endpoint

Logs

dex app log shows nothing

ingress log for dex

public-ingress-controller-67f68778cc-dt649 nginx-ingress-controller { "Bytes": 732, "Duration": 0.001, "HttpReferer": "", "Method": "GET", "Path": "/.well-known/openid-configuration", "ProxyRemoteIP": "0.0.0.0", "RemoteIP": "0.0.0.0", "RequestID": "76d94d87c3ea8faf6be3ea3ee9592f5e", "Request": GET /.well-known/openid-configuration HTTP/1.1, "RequestLength": 138, "RequestProtocol": "HTTP/1.1", "StatusCode": 200, "Time": "2024-09-11T14:39:21+00:00", "UserAgent": "Go-http-client/1.1", "VirtualHost": "my-dex-server.com", "XForwardFor": "0.0.0.0", "ssl_client_s_dn": "", "ssl_client_fingerprint": "", "ssl_client_i_dn": "", "ssl_client_days_valid": "", "tls_version": "TLSv1.3"}

public-ingress-controller-67f68778cc-dt649 nginx-ingress-controller { "Bytes": 2177, "Duration": 0.001, "HttpReferer": "", "Method": "GET", "Path": "/auth", "ProxyRemoteIP": "0.0.0.0", "RemoteIP": "0.0.0.0", "RequestID": "0004d3ba5b9125744ad6b3149ca36906", "Request": GET /auth?access_type=offline&client_id=kube_dev_public&code_challenge=8cjLfz2umbpWX5D93rXcYHclBq_WAZRDPrIIXLA7agM&code_challenge_method=S256&nonce=5PQ3XRsWZspzh9g4x_44P-D2aYyOQxesHN_93FZXkD4&redirect_uri=http%3A%2F%2Flocalhost%3A8000&response_type=code&scope=email+openid&state=FxUWX63myappMQbCab7uYkSFwyoirfQfHWU8FZ0Pmt0 HTTP/2.0, "RequestLength": 729, "RequestProtocol": "HTTP/2.0", "StatusCode": 302, "Time": "2024-09-11T14:39:22+00:00", "UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36", "VirtualHost": "my-dex-server.com", "XForwardFor": "0.0.0.0", "ssl_client_s_dn": "", "ssl_client_fingerprint": "", "ssl_client_i_dn": "", "ssl_client_days_valid": "", "tls_version": "TLSv1.3"}

public-ingress-controller-67f68778cc-dt649 nginx-ingress-controller { "Bytes": 547, "Duration": 0.001, "HttpReferer": "", "Method": "GET", "Path": "/auth/my-oidc-provider", "ProxyRemoteIP": "0.0.0.0", "RemoteIP": "0.0.0.0", "RequestID": "2b2d3e149acae6e48f975d13a60c4a0e", "Request": GET /auth/my-oidc-provider?access_type=offline&client_id=kube_dev_public&code_challenge=8cjLfz2umbpWX5D93rXcYHclBq_WAZRDPrIIXLA7agM&code_challenge_method=S256&nonce=5PQ3XRsWZspzh9g4x_44P-D2aYyOQxesHN_93FZXkD4&redirect_uri=http%3A%2F%2Flocalhost%3A8000&response_type=code&scope=email+openid&state=FxUWX63myappMQbCab7uYkSFwyoirfQfHWU8FZ0Pmt0 HTTP/2.0, "RequestLength": 264, "RequestProtocol": "HTTP/2.0", "StatusCode": 302, "Time": "2024-09-11T14:39:22+00:00", "UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36", "VirtualHost": "my-dex-server.com", "XForwardFor": "0.0.0.0", "ssl_client_s_dn": "", "ssl_client_fingerprint": "", "ssl_client_i_dn": "", "ssl_client_days_valid": "", "tls_version": "TLSv1.3"}

ingress log for backend oidc provider

private-ingress-controller-5957c5cd69-25x9m nginx-ingress-controller { "Bytes": 571, "Duration": 0.008, "HttpReferer": "", "Method": "GET", "Path": "/oauth/authorize", "ProxyRemoteIP": "10.120.41.6", "RemoteIP": "10.120.41.6", "RequestID": "43961c9b3c5ca9f32b29534582437591", "Request": GET /oauth/authorize?client_id=kube_dev_4&redirect_uri=https%3A%2F%2Fmy-dex-server.com%2Fcallback&response_type=code&scope=openid&state=liznkf6xr3kn4jhqbwjkdb674 HTTP/2.0, "RequestLength": 1266, "RequestProtocol": "HTTP/2.0", "StatusCode": 302, "Time": "2024-09-11T17:04:52+00:00", "UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36", "VirtualHost": "my-backend-oidc-provider.com", "XForwardFor": "10.120.41.6", "ssl_client_s_dn": "", "ssl_client_fingerprint": "", "ssl_client_i_dn": "", "ssl_client_days_valid": "", "tls_version": "TLSv1.3"}

private-ingress-controller-5957c5cd69-25x9m nginx-ingress-controller { "Bytes": 738, "Duration": 0.001, "HttpReferer": "", "Method": "GET", "Path": "/ui/sso_login", "ProxyRemoteIP": "10.120.41.6", "RemoteIP": "10.120.41.6", "RequestID": "60d861526a958822b70a4a1b2bfbb8ca", "Request": GET /ui/sso_login?client_id=kube_dev_4&prompt=&redirect_uri=https%3A%2F%2Fmy-dex-server.com%2Fcallback&response_type=code&scope=openid&state=liznkf6xr3kn4jhqbwjkdb674 HTTP/2.0, "RequestLength": 161, "RequestProtocol": "HTTP/2.0", "StatusCode": 200, "Time": "2024-09-11T17:04:52+00:00", "UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36", "VirtualHost": "my-backend-oidc-provider.com", "XForwardFor": "10.120.41.6", "ssl_client_s_dn": "", "ssl_client_fingerprint": "", "ssl_client_i_dn": "", "ssl_client_days_valid": "", "tls_version": "TLSv1.3" }

Notice there's no "prompt" parameter in the /oauth/authorize call

[nabokihms]

It only works with the offline access scope. See

dex/connector/oidc/oidc.go

Lines 352 to 355 in 20f240c

	if s.OfflineAccess {
	opts = append(opts, oauth2.AccessTypeOffline, oauth2.SetAuthURLParam("prompt", c.promptType))
	}
	return c.oauth2Config.AuthCodeURL(state, opts...), nil

[deanmax]

Is there plan to extend this? Not sure what the design principle is behind this.

[flipper]

I also noticed this issue. I also wonder if it is a design issue.
Or is it a bug that i could fix with a PR?

[nabokihms]

It seems like the value was once hardcoded and then unhardcoded
#1656

It doesn't look like a deep design decision too me, so we can fix this>

? Will it be a breaking change?
? Do we also need to fix the Google connector?