WorkOS Support Request: AuthKit Not Forwarding OIDC Parameters to Upstream Providers (React Native/Expo)

[uday-a]

When using provider: 'authkit' with mobile apps (React Native/Expo), OIDC parameters like prompt and max_age are not forwarded to upstream OAuth providers (Google, Apple). This causes auto-login issues after logout.

Environment

• Frontend: React Native 0.81 + Expo 54
• Auth Provider: WorkOS AuthKit
• Mobile Platform: iOS/Android
• OAuth Providers: Google, Apple
• WorkOS SDK: Node.js SDK v7.x (client-side calls)

The Problem

After a user logs out and tries to log in again, they are automatically logged in with their previously used Google account instead of seeing the account picker or login screen.

What We Need

We need AuthKit to forward OIDC parameters (prompt, max_age) to upstream providers so that:

1. Users can select which Google account to use (prompt: 'select_account')
2. Users are forced to re-authenticate after logout (prompt: 'login' or max_age: '0')

Expected Behavior

When using prompt: 'select_account':

• User should see Google account picker with saved accounts
• User can select which account to use
• No auto-login

When using prompt: 'login' or max_age: '0':

• User should see fresh login screen
• Forces re-authentication

Current Workarounds (Not Ideal)

Option 1: preferEphemeralSession: true

const result = await WebBrowser.openAuthSessionAsync(url, redirectUri, {
  preferEphemeralSession: true
});

Issues:

• Prevents auto-login ✅
• Users must type email manually ❌ (no auto-fill)
• Loses convenience of saved accounts

Option 2: Direct Provider (Bypasses AuthKit)

const params = new URLSearchParams({
  provider: 'GoogleOAuth',
  prompt: 'select_account'
});

Issues:

• Works correctly ✅
• Loses AuthKit UI (can't offer Apple/Email options on same screen)
• Not a solution for multi-provider AuthKit use case

Attempts Made

Attempt 1: Add OIDC params to URLSearchParams

const params = new URLSearchParams({
  provider: 'authkit',
  prompt: 'select_account',
  max_age: '0'
});
// Result: ❌ AuthKit ignores these params

Attempt 2: provider_query_params syntax

const url = `...&provider_query_params[prompt]=select_account`;
// Result: ❌ Doesn't work from mobile client (only server-side?)

Attempt 3: Custom logout URL

const logoutUrl = `https://${clientId}.authkit.app/logout?session_id=${sessionId}`;
// Result: ⚠️ Opens browser during logout (bad UX), doesn't always prevent auto-login

Expected Solution

AuthKit should forward OIDC parameters to upstream providers. Something like:

const params = new URLSearchParams({
  provider: 'authkit',
  prompt: 'select_account',  // Should be forwarded to Google
  max_age: '0'               // Should be forwarded to Google
});
// Expected: Google receives these params and shows account picker

Or a WorkOS-specific parameter:

const params = new URLSearchParams({
  provider: 'authkit',
  upstream_prompt: 'select_account'  // WorkOS-specific param
});

Questions for WorkOS Team

1. Is there a supported way to forward OIDC parameters to upstream providers when using AuthKit?

2. Is provider_query_params supposed to work from mobile clients, or only server-side?

3. Are there plans to support prompt and max_age parameters with AuthKit?

4. Is there a recommended approach for preventing auto-login while keeping AuthKit UI?

Example URLs

Current URL (AuthKit - auto-login happens)

https://api.workos.com/user_management/authorize?client_id=...&provider=authkit&screen_hint=sign-in

Expected URL (AuthKit - should forward params to Google)

https://api.workos.com/user_management/authorize?client_id=...&provider=authkit&screen_hint=sign-in&prompt=select_account

Working URL (Direct Google - shows account picker)

https://api.workos.com/user_management/authorize?client_id=...&provider=GoogleOAuth&prompt=select_account

[soufianeeloutmani580-ui]

Dev `|•
soufianeeloutmani5@hotmail.com