Cannot use a refresh login flow to invoke a prompt=consent OIDC refresh

[aran]

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

No response

Describe the bug

If sending {"upstream_parameters": {"prompt": "consent"}} in a login flow with refresh=true, "prompt":"login" is nevertheless in the generated link.

This appears to be because of the IsForced condition:

kratos/selfservice/flow/login/flow.go

Line 235 in bac030b

func (f *Flow) IsForced() bool {

kratos/selfservice/strategy/oidc/provider_generic_oidc.go

Line 90 in bac030b

options = append(options, oauth2.SetAuthURLParam("prompt", "login"))

Reproducing the bug

1. Create a login flow with refresh: true
2. Submit the login flow with Google OIDC provider, and json encoding of {"upstream_parameters": {"prompt": "consent"}}
3. Expect to enter a consent OIDC flow, actual is a login OIDC flow.

Relevant log output

No response

Relevant configuration

No response

Version

1.20

On which operating system are you observing this issue?

None

In which environment are you deploying?

None

Additional Context

No response

[aeneasr]

This is expected behavior. You should not be able to make decisions on whether Google should show the login form or not as a user. Only Kratos can make that decision.