From f5d63fb76c74a83457efbfca3bb350f8a0c20879 Mon Sep 17 00:00:00 2001
From: Karlo <41088744+KarloDerEchte@users.noreply.github.com>
Date: Thu, 20 Nov 2025 03:08:36 +0100
Subject: [PATCH] feat: add option to change or disable OIDC login prompt
 parameter  (#2037)

---
 .env.example                                           |  4 ++++
 .../server/lib/utils/handle-oauth-authorize-url.ts     | 10 +++++++---
 turbo.json                                             |  3 ++-
 3 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/.env.example b/.env.example
index 980792eb6..dcf3dcb58 100644
--- a/.env.example
+++ b/.env.example
@@ -23,6 +23,10 @@ NEXT_PRIVATE_OIDC_CLIENT_ID=""
 NEXT_PRIVATE_OIDC_CLIENT_SECRET=""
 NEXT_PRIVATE_OIDC_PROVIDER_LABEL="OIDC"
 NEXT_PRIVATE_OIDC_SKIP_VERIFY=""
+# Specifies the prompt to use for OIDC signin, explicitly setting
+# an empty string will omit the prompt parameter.
+# See: https://www.cerberauth.com/blog/openid-connect-oauth2-prompts/
+NEXT_PRIVATE_OIDC_PROMPT="login"
 
 # [[URLS]]
 NEXT_PUBLIC_WEBAPP_URL="http://localhost:3000"
diff --git a/packages/auth/server/lib/utils/handle-oauth-authorize-url.ts b/packages/auth/server/lib/utils/handle-oauth-authorize-url.ts
index d0fa72d1d..f62d27fa9 100644
--- a/packages/auth/server/lib/utils/handle-oauth-authorize-url.ts
+++ b/packages/auth/server/lib/utils/handle-oauth-authorize-url.ts
@@ -27,13 +27,13 @@ type HandleOAuthAuthorizeUrlOptions = {
   /**
    * Optional prompt to pass to the authorization endpoint.
    */
-  prompt?: 'login' | 'consent' | 'select_account';
+  prompt?: 'none' | 'login' | 'consent' | 'select_account';
 };
 
 const oauthCookieMaxAge = 60 * 10; // 10 minutes.
 
 export const handleOAuthAuthorizeUrl = async (options: HandleOAuthAuthorizeUrlOptions) => {
-  const { c, clientOptions, redirectPath, prompt = 'login' } = options;
+  const { c, clientOptions, redirectPath } = options;
 
   if (!clientOptions.clientId || !clientOptions.clientSecret) {
     throw new AppError(AppErrorCode.NOT_SETUP);
@@ -63,7 +63,11 @@ export const handleOAuthAuthorizeUrl = async (options: HandleOAuthAuthorizeUrlOp
   );
 
   // Pass the prompt to the authorization endpoint.
-  url.searchParams.append('prompt', prompt);
+  if (process.env.NEXT_PRIVATE_OIDC_PROMPT !== '') {
+    const prompt = process.env.NEXT_PRIVATE_OIDC_PROMPT ?? 'login';
+
+    url.searchParams.append('prompt', prompt);
+  }
 
   setCookie(c, `${clientOptions.id}_oauth_state`, state, {
     ...sessionCookieOptions,
diff --git a/turbo.json b/turbo.json
index d2217d211..a60f12b6b 100644
--- a/turbo.json
+++ b/turbo.json
@@ -119,6 +119,7 @@
     "GOOGLE_APPLICATION_CREDENTIALS",
     "E2E_TEST_AUTHENTICATE_USERNAME",
     "E2E_TEST_AUTHENTICATE_USER_EMAIL",
-    "E2E_TEST_AUTHENTICATE_USER_PASSWORD"
+    "E2E_TEST_AUTHENTICATE_USER_PASSWORD",
+    "NEXT_PRIVATE_OIDC_PROMPT"
   ]
 }