Rate this page

Influencing authentication

As we’ve discussed, the interaction that occurs between the user and the Data Governance Broker during authentication does not actively involve a client application. This is a powerful benefit to the application, because the application only needs to understand the simple OpenID Connect interface to handle user authentication. And this benefits the user, too, who only needs to deal with a single authentication provider. However, OpenID Connect does give your application some tools to influence what happens during authentication.

These are all query parameters accepted by the Data Governance Broker’s authorization endpoint during an OpenID Connect request. For details about other request parameters, see the API references for the authorization code grant type and the implicit grant type.

prompt

The prompt parameter changes the server’s behavior when logging a user in or prompting a user for consent. It takes four possible values.

Prompt value Description
login Forces the Data Governance Broker to prompt the user to log in, even if the user is already logged in.
consent Forces the Data Governance Broker to prompt the user to consent to the requested scopes, even if the user has already consented.
login consent Forces the Data Governance Broker to both prompt the user to log in and to prompt the user to consent to the requested scopes.
none Forces the Data Governance Broker to suppress login and consent prompts. If the user is not logged in or consent has not already been obtained for any requested scopes that require consent, then the request will fail.

max_age

The max_age parameter lets the client specify a maximum allowable time since the user’s last login. The value is specified as a number of seconds. For example, max_age=900 means “Prompt the user to log in if he or she has not authenticated within the last 15 minutes.”

acr_values

The acr_values parameter lets the client specify a set of ACRs that it requires for the authentication request to succeed. The parameter value is formatted as a space-delimited list of ACR names.

This is discussed at greater length in the multi-factor authentication article.