Shared computers don’t get the login prompt

Users don’t always log out from websites, something that can create problems if users share computers. For example, suppose August Springer logs to the OpenID Connect Playground and then clicks the Call /UserInfo button to return the user profile information that’s been copied to the userinfo endpoint. That returns information similar to this (note the user’s birthdate, family name, and given name):

{
    "at_hash": "QChsIVwNHq3tLy4Lycbtbg",
    "aud": [
        "64430515-01ea-4f5d-82e4-c36161af0093"
    ],
    "auth_time": 1592061510,
    "birthdate": "1989-12-19",
    "email": "augustjosephspringer@gmail.com",
    "email_verified": true,
    "exp": 1592063314,
    "family_name": "Springer",
    "given_name": "August",
    "global_sub": "capture-v1://se-demos-gstemp.us-dev.janraincapture.com/79y4mqf2rt3bxs378kw5479xdu
/GREG_DEMO/72ef339b-192c-47bc-95a2-a395be84b57c",
    "iat": 1592061514,
    "iss": "https://v1.api.us.janrain.com/e0a70b4f-1eef-4856-bcdb-f050fee66aae/login",
    "jti": "zjHlABGp2CWxp-u5vUWtqZyh",
    "preferred_username": "August Joseph Springer",
    "sub": "72ef339b-192c-47bc-95a2-a395be84b57c",
    "updated_at": 1307978220
}

Let's now suppose that August leaves the Playground without logging off. A little while later a second user, Skeeter Davis, uses the same computer to access the Playground. When Skeeter clicks the Start button he doesn’t see the sign-in screen; instead, he’s automatically logged on. And look what happens when he clicks Call /Userinfo:

{
    "at_hash": "QChsIVwNHq3tLy4Lycbtbg",
    "aud": [
        "64430515-01ea-4f5d-82e4-c36161af0093"
    ],
    "auth_time": 1592061510,
    "birthdate": "1989-12-19",
    "email": "augustjosephspringer@gmail.com",
    "email_verified": true,
    "exp": 1592063314,
    "family_name": "Springer",
    "given_name": "August",
    "global_sub": "capture-v1://se-demos-gstemp.us-dev.janraincapture.com/79y4mqf2rt3bxs378kw5479xdu
/GREG_DEMO/72ef339b-192c-47bc-95a2-a395be84b57c",
    "iat": 1592061514,
    "iss": "https://v1.api.us.janrain.com/e0a70b4f-1eef-4856-bcdb-f050fee66aae/login",
    "jti": "zjHlABGp2CWxp-u5vUWtqZyh",
    "preferred_username": "August Joseph Springer",
    "sub": "72ef339b-192c-47bc-95a2-a395be84b57c",
    "updated_at": 1307978220
}

As you can see, he gets August's user profile information. Why? Because Hosted Login thinks he is August Springer. When Skeeter clicked Start, August still had a valid session running. In turn, Hosted Login assumed August had returned and, instead of asking him to reenter his email address and password, it simply restored his existing session. Unfortunately, that means giving the wrong person access to August's information.

One way to deal with this problem (which, just to be clear, is a problem only if users share computers and only if they share computers without logging off) is to use the prompt parameter to force the sign-in screen to appear any time a user tries to access the site (in our case, any time the user clicks the Start button). To do that in the OpenID Connect Playground, click Prompt and then select login:

imgimg

If you do that, Hosted Login forces the user – regardless of who it is and regardless of any active sessions or valid access tokens they might have – to authenticate:

imgimg

Skeeter Davis now has to log in using his own email address and password. And here’s what he sees if he clicks Call /Userinfo:

{

    "at_hash": "H39x87RxOC5FVNMar73D7Q",
    "aud": [
        "64430515-01ea-4f5d-82e4-c36161af0093"
    ],
    "auth_time": 1592061684,
        "birthdate": "1989-06-03",
    "email": "skeeterjdavis@gmail.com",
    "email_verified": true,
    "exp": 1592063486,
    "family_name": "Springer",
    "given_name": "August"
    "global_sub": "capture-v1://se-demos-gstemp.us-dev.janraincapture.com/79y4mqf2rt3bxs378kw5479xdu
/GREG_DEMO/070ba0b7-c2aa-4e6b-be27-3069ccdcc874",
    "iat": 1592061686,
    "iss": "https://v1.api.us.janrain.com/e0a70b4f-1eef-4856-bcdb-f050fee66aae/login",

    "jti": "u3WUHErEBbCM2EmKSOHPd1hK",
    "preferred_username": "Skeeter Davis",
    "sub": "070ba0b7-c2aa-4e6b-be27-3069ccdcc874",
    "updated_at": 1181748060
}

That’s more like it.

If you’re creating your own authorization requests (without using the OpenID Connect Playground) just add the prompt parameter and set the value to login:

https://v1.api.us.janrain.com/e0a70b4f-1eef-4856-bcdb-f050fee66aae/login/authorize
   ?client_id=a123ef65-83dc-4094-a09a-76e1bec424e7
   &redirect_uri=https://wacky-harmonious-bike.dev.or.janrain.com/redirect_uri
   &scope=openid
   &code_challenge=D3-7i_p9BKO1_BkO8zIkO4uVawhF2LFADEqLgjvRcmw
   &code_challenge_method=S256
   &prompt=login
   &response_type=code
   &state=MMNgYPduCdwHbbvQjkZXXVrP5Pi4q66OqQ0CNkqFXG4