OpenID Connect, redirect without login form if not already logged in?

Question

In OpenID Connect, I would like my users to be automatically connected to my client if they are connected to the identity provider (given that they already authorized my cli

Answer 1

Alternatively, you can use signinSilent(). I have used it on my login page ngOnInit (since AuthGuard will anyway redirect the user to login, I thought it will be the perfect place in my scenario).

// login.ts
ngOnInit(): void {
    this.authService.signinSilent().then(_ => {}).catch(_ => {});
}

// authService
public signinSilent() {
    return this.userManager.signinSilent();
}

signinSilent method will return the user object if user already has a valid session with idp. else it will throw an error, probably login_required.

Answer 2

You are considering SSO behaviour on-top of IDP. This is usually outside OpenID Connect specification and usually bound to specific identity provider you are using (ex:- Azure, PING or WSO2). But there are some parameters to tweak the this behaviour such as prompt and login_hint which are optional.

From OpenID Connect authentication request section

prompt

Space delimited, case sensitive list of ASCII string values that specifies whether the Authorization Server prompts the End-User for reauthentication and consent.

Valid values are login, none, consent and select_account. You can use them to enforce force login or to allow a select account.

login_hint

Hint to the Authorization Server about the login identifier the End-User might use to log in (if necessary)

One good example is enabling SSO behaviour by passing login_hint to identity provider. If identity provider can verify identity against (for example) a corporate LDAP and detect logged in state, you can give credential free login experience. At the same time, you may use prompt=login to enforce a login, even when identity provider hold a logged in session.