[GH-ISSUE #7700] oauth-provider add support for prompt=none #10879

New Issue

GiteaMirror · 2026-04-13T07:15:08-05:00

GiteaMirror commented

2026-04-13 07:15:08 -05:00

Originally created by @dvanmali on GitHub (Jan 30, 2026).
Original GitHub issue: https://github.com/better-auth/better-auth/issues/7700

Is this suited for github?

Yes, this is suited for github

PR #7665 added the enum for prompt="none" into the parameter list however the prompt is not actually supported internally.

Describe the solution you'd like

Add support for prompt="none" for the oauth-provider plugin.

Describe alternatives you've considered

na

Additional context

Currently, there is no advertisement of the "none" prompt in metadata field prompt_values_supported so it's a feature request (not an issue).

Originally created by @dvanmali on GitHub (Jan 30, 2026). Original GitHub issue: https://github.com/better-auth/better-auth/issues/7700 ### Is this suited for github? - [x] Yes, this is suited for github ### Is your feature request related to a problem? Please describe. PR #7665 added the enum for `prompt="none"` into the parameter list however the prompt is not actually supported internally. ### Describe the solution you'd like Add support for `prompt="none"` for the oauth-provider plugin. ### Describe alternatives you've considered na ### Additional context Currently, there is no advertisement of the "none" prompt in metadata field `prompt_values_supported` so it's a feature request (not an issue).

GiteaMirror added the locked label 2026-04-13 07:15:08 -05:00

GiteaMirror closed this issue

2026-04-13 07:15:09 -05:00

GiteaMirror commented

2026-04-13 07:15:11 -05:00

@better-auth-agent[bot] commented on GitHub (Jan 30, 2026):

The feature request to add support for prompt="none" in the oauth-provider plugin is noted. Currently, the implementation has been pointed out as lacking internal support for this parameter despite the enum being added in a previous PR [1]. Adding support for prompt="none" would allow for silent login flows and would align the plugin with the OIDC standard [2].

Next steps would involve investigating the necessary changes to implement this feature in accordance to the standards and any related updates in the ongoing development process.

If you'd like to continue this discussion or have further inquiries about the implementation, please tag @better-auth-agent for additional assistance! What are your thoughts on the implementation challenges with this feature?

If you need more help, tag @better-auth-agent in a comment so I can respond.

Diagram • Discord • GitHub

@better-auth-agent[bot] commented on GitHub (Jan 30, 2026): The feature request to add support for `prompt="none"` in the oauth-provider plugin is noted. Currently, the implementation has been pointed out as lacking internal support for this parameter despite the enum being added in a previous PR [[1]](https://github.com/better-auth/better-auth/pull/7092). Adding support for `prompt="none"` would allow for silent login flows and would align the plugin with the OIDC standard [[2]](https://github.com/better-auth/better-auth/pull/4163). Next steps would involve investigating the necessary changes to implement this feature in accordance to the standards and any related updates in the ongoing development process. If you'd like to continue this discussion or have further inquiries about the implementation, please tag @better-auth-agent for additional assistance! What are your thoughts on the implementation challenges with this feature? _If you need more help, tag @better-auth-agent in a comment so I can respond._  [Diagram](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) • [Discord](https://discord.gg/better-auth) • [GitHub](https://github.com/better-auth/better-auth) [![Diagram](https://img.shields.io/badge/Diagram-2b3137?style=flat-square)](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) [![Join](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&style=flat-square)](https://discord.gg/better-auth) [![Star](https://img.shields.io/badge/star-181717?logo=github&logoColor=white&style=flat-square)](https://github.com/better-auth/better-auth)

GiteaMirror commented

2026-04-13 07:15:11 -05:00

@DibyodyutiMondal commented on GitHub (Feb 5, 2026):

@better-auth-agent

from what I gathered, supporting prompt=none, and supporting silent signin are 2 different things

usually in OIDC, in case of /authorize endpoint, in case of user not present or consent not present, it will redirect to the signup/sign/consent page as required. errors will redirect to the redirect_uri as per the query parameter.

However, with prompt=none, in case the user is not present or consent is required or something else happened which requires user interaction, then it is to be treated the same as error, and it will redirect to the redirect_uri, as per query parameter. the errors will be login_required, etc (as per the RFC) according to the specific context of the request.

This does not enable silent signin automatically by default, but it allows us to build silent signin feature by giving us a request we can make to detect and sign in the user if possible.

there is a separate RFC spec for silent session management in OIDC that uses a check_session_iframe, a session state cookie and a session_state query parameter in the authorization endpoint redirect response, which builds on top of the prompt none feature.

can you compile all of that and tell us what would be required to be done to implement.
maybe we should break the implementation into 2 parts - properly supporting prompt none, and silent session management on top of that

@DibyodyutiMondal commented on GitHub (Feb 5, 2026): @better-auth-agent from what I gathered, supporting prompt=none, and supporting silent signin are 2 different things usually in OIDC, in case of /authorize endpoint, in case of user not present or consent not present, it will redirect to the signup/sign/consent page as required. errors will redirect to the redirect_uri as per the query parameter. However, with prompt=none, in case the user is not present or consent is required or something else happened which requires user interaction, then it is to be treated the same as error, and it will redirect to the redirect_uri, as per query parameter. the errors will be login_required, etc (as per the RFC) according to the specific context of the request. This does not enable silent signin automatically by default, but it allows us to build silent signin feature by giving us a request we can make to detect and sign in the user if possible. there is a separate RFC spec for silent session management in OIDC that uses a check_session_iframe, a session state cookie and a session_state query parameter in the authorization endpoint redirect response, which builds on top of the prompt none feature. can you compile all of that and tell us what would be required to be done to implement. maybe we should break the implementation into 2 parts - properly supporting prompt none, and silent session management on top of that

GiteaMirror commented

2026-04-13 07:15:12 -05:00

@better-auth-agent[bot] commented on GitHub (Feb 5, 2026):

To implement support for prompt=none in the OAuth provider, here are the required steps:

Internal Support: Ensure that the better-auth OAuth provider can handle requests with prompt=none correctly. This includes treating the absence of user interaction as an error state and redirecting to the specified redirect_uri if user presence or consent is required [2].
Update Metadata: Advertise the prompt=none option in the OpenID Connect discovery document under prompt_values_supported. This ensures clients can discover its support through the metadata [2].
Error Handling: Define error semantics for unsupported scenarios. When prompt=none is called, and the conditions for silent sign-in are not met (e.g., user not present), it should return an error indicating the need for user interaction [1].
Silent Session Management: Consider implementing a more comprehensive feature for silent session management on top of prompt=none, as it is intended to facilitate silent sign-in requests [2]. This could involve integrating mechanisms like check_session_iframe and handling a session state cookie [2].

It might be beneficial to break down these tasks into two parts:

Get prompt=none fully functional.
Implement the silent session management features thereafter.

Would you like further clarification on any specific aspect of this implementation process?

Diagram • Discord • GitHub

@better-auth-agent[bot] commented on GitHub (Feb 5, 2026): To implement support for `prompt=none` in the OAuth provider, here are the required steps: 1. **Internal Support**: Ensure that the better-auth OAuth provider can handle requests with `prompt=none` correctly. This includes treating the absence of user interaction as an error state and redirecting to the specified `redirect_uri` if user presence or consent is required [[2]](https://github.com/better-auth/better-auth/issues/7700). 2. **Update Metadata**: Advertise the `prompt=none` option in the OpenID Connect discovery document under `prompt_values_supported`. This ensures clients can discover its support through the metadata [[2]](https://github.com/better-auth/better-auth/issues/7700). 3. **Error Handling**: Define error semantics for unsupported scenarios. When `prompt=none` is called, and the conditions for silent sign-in are not met (e.g., user not present), it should return an error indicating the need for user interaction [[1]](https://github.com/better-auth/better-auth/issues/6737). 4. **Silent Session Management**: Consider implementing a more comprehensive feature for silent session management on top of `prompt=none`, as it is intended to facilitate silent sign-in requests [[2]](https://github.com/better-auth/better-auth/issues/7700). This could involve integrating mechanisms like `check_session_iframe` and handling a session state cookie [[2]](https://github.com/better-auth/better-auth/issues/7700). It might be beneficial to break down these tasks into two parts: - Get `prompt=none` fully functional. - Implement the silent session management features thereafter. Would you like further clarification on any specific aspect of this implementation process?  [Diagram](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) • [Discord](https://discord.gg/better-auth) • [GitHub](https://github.com/better-auth/better-auth) [![Diagram](https://img.shields.io/badge/Diagram-2b3137?style=flat-square)](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) [![Join](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&style=flat-square)](https://discord.gg/better-auth) [![Star](https://img.shields.io/badge/star-181717?logo=github&logoColor=white&style=flat-square)](https://github.com/better-auth/better-auth)

GiteaMirror commented

2026-04-13 07:15:12 -05:00

@better-auth-agent[bot] commented on GitHub (Feb 5, 2026):

It seems you want to gather insights on implementing support for prompt=none in the Better Auth oauth-provider. Here's a summarized breakdown of how to approach this:

Understanding prompt=none: This parameter is a part of OpenID Connect that allows clients to request a silent authentication attempt. If the user is not authenticated, the request should return an error, redirecting to the specified redirect_uri, rather than prompting the user for authentication.
Implementing Support:
- Internal Handling: Based on the discussions, it seems that support for prompt=none was previously not fully functional but was addressed in a recent commit that ensures it adheres to the OIDC standards, allowing silent authentication flows to work properly without causing validation errors [5].
- Metadata Update: Ensure the prompt_values_supported metadata field reflects supported values, including none, for clients to discover the feature. Currently, it appears this is still a feature request and should be updated accordingly [6].
Future Steps for Silent Sign-in:
- Consider implementing a separate flow based on the check_session_iframe and related attributes discussed in RFCs for successful silent session management. This could be structured in two parts: fixing prompt=none support, and then layering in silent sign-in features as an enhancement.

By breaking the work into these phases, you can ensure both immediate compliance with OIDC standards and the potential for enhanced functionality in the future.

If you have more specific ideas or further questions about this implementation, feel free to ask! What parts of this implementation interest you the most?

Diagram • Discord • GitHub

@better-auth-agent[bot] commented on GitHub (Feb 5, 2026): It seems you want to gather insights on implementing support for `prompt=none` in the Better Auth oauth-provider. Here's a summarized breakdown of how to approach this: 1. **Understanding `prompt=none`**: This parameter is a part of OpenID Connect that allows clients to request a silent authentication attempt. If the user is not authenticated, the request should return an error, redirecting to the specified `redirect_uri`, rather than prompting the user for authentication. 2. **Implementing Support**: - **Internal Handling**: Based on the discussions, it seems that support for `prompt=none` was previously not fully functional but was addressed in a recent commit that ensures it adheres to the OIDC standards, allowing silent authentication flows to work properly without causing validation errors [[5]](https://github.com/better-auth/better-auth/pull/7665). - **Metadata Update**: Ensure the `prompt_values_supported` metadata field reflects supported values, including `none`, for clients to discover the feature. Currently, it appears this is still a feature request and should be updated accordingly [[6]](https://github.com/better-auth/better-auth/issues/7700). 3. **Future Steps for Silent Sign-in**: - Consider implementing a separate flow based on the `check_session_iframe` and related attributes discussed in RFCs for successful silent session management. This could be structured in two parts: fixing `prompt=none` support, and then layering in silent sign-in features as an enhancement. By breaking the work into these phases, you can ensure both immediate compliance with OIDC standards and the potential for enhanced functionality in the future. If you have more specific ideas or further questions about this implementation, feel free to ask! What parts of this implementation interest you the most?  [Diagram](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) • [Discord](https://discord.gg/better-auth) • [GitHub](https://github.com/better-auth/better-auth) [![Diagram](https://img.shields.io/badge/Diagram-2b3137?style=flat-square)](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) [![Join](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&style=flat-square)](https://discord.gg/better-auth) [![Star](https://img.shields.io/badge/star-181717?logo=github&logoColor=white&style=flat-square)](https://github.com/better-auth/better-auth)

GiteaMirror commented

2026-04-13 07:15:13 -05:00

@better-auth-agent[bot] commented on GitHub (Feb 5, 2026):

To implement support for prompt="none" in Better Auth for the oauth-provider plugin, here's what needs to be considered:

Understanding prompt="none": This is used in OIDC to attempt a silent authentication without user interaction. If user interaction is required (like consent or the user not being present), the request should return an error state, effectively treating it as if it failed.
Implementation Steps:
- Add support for processing the prompt="none" parameter when the authorization request is made.
- Modify the handling of authorization responses to check for scenarios where user interaction is needed and redirect to redirect_uri with proper error handling (e.g., login_required).
- Ensure that metadata reflects that prompt="none" is supported in the prompt_values_supported field.
Silent Sign-in Management: This feature can be built once prompt="none" support is established. You might consider working on:
- Introducing a check_session_iframe functionality that checks if the user is still logged in without needing to require their interaction explicitly.
- Use session state cookies and pass them as needed through the session_state query parameter.
Next Steps for Implementation:
- Break the implementation process into two phases:
  - Phase 1: Implement base support for prompt="none".
  - Phase 2: Develop and integrate the silent session management using appropriate RFC specifications.

By organizing the work this way, it becomes manageable to tackle each piece systematically without overwhelming the development process.

If you have further questions about this implementation or need clarification on specific parts, feel free to ask!

Diagram • Discord • GitHub

@better-auth-agent[bot] commented on GitHub (Feb 5, 2026): To implement support for `prompt="none"` in Better Auth for the oauth-provider plugin, here's what needs to be considered: 1. **Understanding `prompt="none"`**: This is used in OIDC to attempt a silent authentication without user interaction. If user interaction is required (like consent or the user not being present), the request should return an error state, effectively treating it as if it failed. 2. **Implementation Steps**: - Add support for processing the `prompt="none"` parameter when the authorization request is made. - Modify the handling of authorization responses to check for scenarios where user interaction is needed and redirect to `redirect_uri` with proper error handling (e.g., `login_required`). - Ensure that metadata reflects that `prompt="none"` is supported in the `prompt_values_supported` field. 3. **Silent Sign-in Management**: This feature can be built once `prompt="none"` support is established. You might consider working on: - Introducing a `check_session_iframe` functionality that checks if the user is still logged in without needing to require their interaction explicitly. - Use session state cookies and pass them as needed through the `session_state` query parameter. 4. **Next Steps for Implementation**: - Break the implementation process into two phases: - Phase 1: Implement base support for `prompt="none"`. - Phase 2: Develop and integrate the silent session management using appropriate RFC specifications. By organizing the work this way, it becomes manageable to tackle each piece systematically without overwhelming the development process. If you have further questions about this implementation or need clarification on specific parts, feel free to ask!  [Diagram](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) • [Discord](https://discord.gg/better-auth) • [GitHub](https://github.com/better-auth/better-auth) [![Diagram](https://img.shields.io/badge/Diagram-2b3137?style=flat-square)](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) [![Join](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&style=flat-square)](https://discord.gg/better-auth) [![Star](https://img.shields.io/badge/star-181717?logo=github&logoColor=white&style=flat-square)](https://github.com/better-auth/better-auth)

GiteaMirror commented

2026-04-13 07:15:14 -05:00

@dvanmali commented on GitHub (Mar 11, 2026):

@himself65 this is incomplete. Wrong plugin

@dvanmali commented on GitHub (Mar 11, 2026): @himself65 this is incomplete. Wrong plugin

Sign in to join this conversation.

Branches Tags

2026-05-13/ci/stabilize-docker-startup

dependabot/npm_and_yarn/samlify-2.13.0

changeset-release/main

main

2026-05-22/chore/adopt-agents-md

2026-05-22/refactor/string-case-utils

2026-05-14/fix/passkey-verify-error-and-claim

changeset-release/next

dependabot/npm_and_yarn/demo/electron/demo-minor-patch-519ef7475f

dependabot/github_actions/github-actions-98f3470200

client-assertions-main

2026-05-15/ci/fix-sqlite-abi-mismatch

2026-05-15/fix/organization-team-add-cascade

2026-05-15/fix/parse-set-cookie-value-validation

2026-05-13/feat/captcha-wildcard-endpoints

fix/i18n-before-hook-translation

fix/disable-migration-generate

2026-05-07/fix/admin-set-password-upsert

2026-05-10/fix/cookie-drain-order

2026-05-10/feat/hooks-finally

2026-05-09/fix/cookie-drain-order

2026-05-09/feat/hooks-finally

2026-05-08/feat/register-before-send

fix/stripe/subscription-data-merge

2026-05-01/chore/pnpm-v11-harden

chore/pnpm-v11

2026-04-29/feat/google-include-granted-scopes

2026-04-29/fix/oauth-account-scope-semantics

2026-04-27/fix/nextcookies-idempotent-writes

2026-04-26/fix/harden-proxy-host-validation

2026-04-26/refactor/stripe-callback-signature-cleanup

2026-04-26/fix/stripe-subscription-callback-timing

2026-04-11/fix/sveltekit-app-modules

feat/open-api-zod-contract

feat/oauth-provider-backchannel-logout-next

feat/oauth-idp-initiated-bounce

refactor/sign-in-challenges

2026-04-21/fix/oauth-rfc-input-validation

fix/release-notes-new-packages

fix/two-factor-identity-guard

fix/resource

feat/emailpassword-authorize

2026-04-12/security/dynamic-baseurl-proxy-trust-default

feat/oauth-provider-at-hash-v2

fix/release-grep-fallback

claude/address-review-comments-JhFLr

claude/slack-update-stripe-docs-consistency-8Sc0w

feat/async-auth

fix/two-factor-totp-verified-enrollment

feat/plugin-ui

codex/blog-1-6-release-post

2026-04-06/fix/type-any-guards

2026-04-05/chore/downgrade-better-call

2026-04-04/ci/skip-vercel-fork-prs

2026-03-28/ci/add-autofix-ci

chore/release-preview-script

himself65/2026/02/19/role

2026-03-24/fix/update-user-info-on-link

2026-03-20/docs/improve-website

2026-03-20/fix/anonymous-onlinkaccount-expo

2026-02-17/fix/anonymous-link-state

fix/8607-saml-inresponseto

fix/8549-scim-patch-noop

v1.4.x

refactor/migration-snapshot-tests

worktree-magic-link-additional-data

chore/migrate-build-to-rollup

worktree-fix-dynamic-baseurl-8447

2026-03-06/chore/public-api-check

fix/close-8156-regression-test

fix/secondary-storage-json-error-handling

himself65/verification-namespace

cursor/issue-8307-validation-79a3

himself65/2026/01/30/error-mdx

v1.4.x-staging

fix/email-otp-user

fix/restrict-full-organization-access-roles

himself65/2026/02/12/count

himself65/2026/02/04/define-plugin

2026-02-04/feat/add-pluralize

cursor/better-auth-js-integration-ec21

cursor/expo-state-mismatch-394c

2026-02-01/fix/org-update-role-sync-members

cursor/issue-7607-investigation-e146

cursor/email-generation-helper-0ff6

himself65/2026/01/21/avoid-spread-operator

himself65/2026/01/14/cli

claude/slack-add-docs-pr-NMvgO

claude/slack-add-advanced-useplural-WHKYL

feat/hooks-pos

feat/2fa-phone

feat/2fa

fix/rotation

fix/username-check

v1.3.x

refactor/organization

feat/multiple-client-ids-social-providers

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/better-auth#10879

[GH-ISSUE #7700] oauth-provider add support for prompt=none #10879

Is this suited for github?

Is your feature request related to a problem? Please describe.

Describe the solution you'd like

Describe alternatives you've considered

Additional context

[GH-ISSUE #7700] oauth-provider add support for `prompt=none` #10879