External IDP ZOHO login via Generic OIDC throwing error with parameter prompt=select_account
Use-case:
We’re integrating Zoho login using Zitadel as the OIDC provider.
Environment:
Self-hosted Zitadel.
Version:
v2.63.2
Stack:
We’re using Zitadel’s OIDC login flow to allow users to sign in via Zoho.
What you expected to happen:
Users should be able to authenticate with Zoho via OIDC without issues.
What went wrong:
Zoho throws an error when the prompt parameter is set to select_account. It seems Zoho only supports prompt=consent.
Question:
Is there a way to configure or override the prompt parameter in Zitadel’s OIDC flow to use consent instead of select_account?
10 Replies
hey @Sk-7060131690 thanks for your question, under OIDC authorization_endpoint, you can change the prompts that might help you
I am not sure what does your setup looks like. Please let me know if this helps or I can look more
ZITADEL Docs
OpenID Connect 1.0 Discovery
Hi Rajat,
Thanks for your help! The Zitadel docs (https://zitadel.com/docs/apis/openidoauth/endpoints#additional-parameters) mention the prompt parameter but don’t say if it’s customizable. Zoho doesn’t support prompt=select_account, causing a 400 error and blocking OIDC login. Any way to change the prompt param in Zitadel’s OIDC config? Prefer to avoid SAML if possible cause i think zoho doesnt provide saml endpoints as an service provider.
ZITADEL Docs
OpenID Connect 1.0 Discovery
hey @Sk-7060131690 I will look a bit more and see about the params, it seems like we can make it work, I had a discussion wiuth one of my engineers today, allow me some time and I will get back on it.
Hello @Rajat , thanks a lot for the update!
No rush at all, will look forward to any updates. Thanks again!
hi @Sk-7060131690 thanks for waiting, was on vacation all this time. I just read that zoho supports
prompt=consent but Zitadel currently does not allow it(OIDC does so it should be possible). Do you want to open a PR/issue for this?. You can document your findings on it too in better way so that we can work on it(or else if you want to do it, that is also fine, we review it in that case)
https://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpointFinal: OpenID Connect Core 1.0 incorporating errata set 2
OpenID Connect Core 1.0 incorporating errata set 2
I read about prompt=consent here on zoho
https://www.zoho.com/accounts/protocol/oauth/web-apps/authorization.html
Zoho
Server-based Apps - Get Authorization Code | OAuth 2.0 - Zoho
Request for an authorization code with the required scopes. After the user grants the required permission, an authorization code will be returned.
Hi @Rajat , thanks for the update, and hope you had a great vacation!
I checked the code and confirmed that we're currently passing the default value of prompt=select_account for every OIDC external IDP directly in the backend. I'm going through the codebase now, but since I'm new to Go, I'll need to spend some time learning before I can confidently propose a solution.
I see two possible approaches here:
- Add a dedicated Zoho provider to handle the prompt=consent behavior specifically.
- Introduce an additional field in the UI to let users choose the prompt value dynamically.
I’d love to contribute and will try implementing one of these solutions. I’m not sure yet if I’ll succeed, but I’ll open an issue once I’ve made some progress and have a clearer idea.
Which approach would you recommend going with?
hey @Sk-7060131690 will suggest you to start by opening up an issue on zitadel GH issue and then followed by contributing 🙂 , you can take your time,please read the contributing guidelines, and see if you can run a local setup, and then go from there.
Hey! @Rajat Thanks for the guidance 🙂 I’ve already got the code set up locally. I’ll go through the contributing guidelines next and then open a GitHub issue to get started. Looking forward to contributing!
awesome @Sk-7060131690 you can close this by marking it with ✅ and it will auto close the thread, later on you can refernce the opened issue here.
Thanks