diff --git a/securing_apps/topics/oidc/java/params_forwarding.adoc b/securing_apps/topics/oidc/java/params_forwarding.adoc index 1e8252d08f..faba189026 100644 --- a/securing_apps/topics/oidc/java/params_forwarding.adoc +++ b/securing_apps/topics/oidc/java/params_forwarding.adoc @@ -19,7 +19,11 @@ The supported parameters are: * scope -* prompt +* prompt - {project_name} supports these settings: +** `login` - SSO will be ignored and the {project_name} login page will be always shown, even if the user is already authenticated +** `none` - The login page will never be shown; instead the user will be redirected to the application, with an error if the user +is not yet authenticated. This setting allows you to create a filter/interceptor on the application side and show a custom error page +to the user. See more details in the specification. * max_age @@ -30,3 +34,7 @@ The supported parameters are: Most of the parameters are described in the http://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint[OIDC specification]. The only exception is parameter `kc_idp_hint`, which is specific to {project_name} and contains the name of the identity provider to automatically use. For more information see the `Identity Brokering` section in link:{adminguide_link}[{adminguide_name}]. + +WARNING: If you open the URL using the attached parameters, the adapter will not redirect you to {project_name} if you are already authenticated +in the application. For example, opening $$http://myappserver/mysecuredapp?prompt=login$$ will not automatically redirect you to +the {project_name} login page if you are already authenticated to the application `mysecredapp` . This behavior may be changed in the future.