OpenID Connect, redirect without login form if not already logged in?

Question

In OpenID Connect, I would like my users to be automatically connected to my client if they are connected to the identity provider (given that they already authorized my cli

Answer 1

You are considering SSO behaviour on-top of IDP. This is usually outside OpenID Connect specification and usually bound to specific identity provider you are using (ex:- Azure, PING or WSO2). But there are some parameters to tweak the this behaviour such as prompt and login_hint which are optional.

From OpenID Connect authentication request section

prompt

Space delimited, case sensitive list of ASCII string values that specifies whether the Authorization Server prompts the End-User for reauthentication and consent.

Valid values are login, none, consent and select_account. You can use them to enforce force login or to allow a select account.

login_hint

Hint to the Authorization Server about the login identifier the End-User might use to log in (if necessary)

One good example is enabling SSO behaviour by passing login_hint to identity provider. If identity provider can verify identity against (for example) a corporate LDAP and detect logged in state, you can give credential free login experience. At the same time, you may use prompt=login to enforce a login, even when identity provider hold a logged in session.