Skip to content

fix(client/auth): use .set() for prompt=consent instead of .append() to avoid duplicating #1958

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
mhegazy wants to merge 2 commits into
base: main
Choose a base branch
from
+22 −1
Open

fix(client/auth): use .set() for prompt=consent instead of .append() to avoid duplicating #1958

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
6284819
fix(client/auth): merge consent into existing prompt param instead of…
mhegazy Apr 24, 2026
7d8ecd3
use .set() not space-delimited merge — Azure rejects multi-value prom…
mhegazy Apr 24, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 5 additions & 1 deletion packages/client/src/client/auth.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1420,7 +1420,11 @@ export async function startAuthorization(
// if the request includes the OIDC-only "offline_access" scope,
// we need to set the prompt to "consent" to ensure the user is prompted to grant offline access
// https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess
authorizationUrl.searchParams.append('prompt', 'consent');
// Use .set() not .append(): RFC 6749 §3.1 forbids duplicate params, and the
// authorization_endpoint may already include a prompt value. Azure AD also rejects the
// OIDC space-delimited list form (AADSTS90023), so a single value is the only portable
// option; consent is required for offline_access per OIDC §11.
authorizationUrl.searchParams.set('prompt', 'consent');
}

if (resource) {
Expand Down
17 changes: 17 additions & 0 deletions packages/client/test/client/auth.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1557,6 +1557,23 @@ describe('OAuth Authorization', () => {
expect(authorizationUrl.searchParams.get('prompt')).toBe('consent');
});

it('overwrites existing prompt parameter from authorization_endpoint instead of duplicating', async () => {
const { authorizationUrl } = await startAuthorization('https://auth.example.com', {
metadata: {
issuer: 'https://auth.example.com',
authorization_endpoint: 'https://auth.example.com/authorize?prompt=select_account',
token_endpoint: 'https://auth.example.com/token',
response_types_supported: ['code'],
code_challenge_methods_supported: ['S256']
},
clientInformation: validClientInfo,
redirectUrl: 'http://localhost:3000/callback',
scope: 'read offline_access'
});

expect(authorizationUrl.searchParams.getAll('prompt')).toEqual(['consent']);
});

it.each([validMetadata, validOpenIdMetadata])('uses metadata authorization_endpoint when provided', async baseMetadata => {
const { authorizationUrl } = await startAuthorization('https://auth.example.com', {
metadata: baseMetadata,
Expand Down
Loading