diff --git a/src/Server.hs b/src/Server.hs
index dd6f619..72d2b8d 100644
--- a/src/Server.hs
+++ b/src/Server.hs
@@ -148,10 +148,11 @@ loginServer = decideLogin
       | not validOIDC = throwError err401 { errBody = "For OIDC, the 'openid' scope and the 'id_token' response type must be given" }
       | Just "none" <- mPrompt = handleSSO
       | Just "login" <- mPrompt = handleLogin
-      | Nothing <- mPrompt = handleLogin
+      | Nothing <- mPrompt = if isJust mCreds then handleSSO else handleLogin
       | otherwise = throwError err401 { errBody = "Prompt not supported" }
       where
         responseType' = readMaybe @ResponseType responseType
+        mCreds = mCookies >>= lookup "oa2_auth_cookie" . parseCookiesText . encodeUtf8
         validOIDC :: Bool
         validOIDC = let scopes' = map (read @(Scope' user)) $ words scopes
                     in  (Left OpenID `elem` scopes') == (responseType' == Just IDToken)
@@ -160,8 +161,6 @@ loginServer = decideLogin
         handleSSO = do -- TODO check openid scope
           liftIO $ putStrLn "login via SSO..."
           unless (read @ResponseType responseType == IDToken) $ throwError err500 { errBody = "Unsupported response type" }
-          unless (isJust mCookies) $ throwError err500 { errBody = "Missing cookie" }
-          let mCreds = lookup "oa2_auth_cookie" . parseCookiesText . encodeUtf8 $ fromJust mCookies
           unless (isJust mCreds) $ throwError err500 { errBody = "Missing oauth2 cookie" }
           url' <- handleCreds @user @userData (fromJust mCreds) scopes client url mState mNonce
           liftIO $ putStrLn "SSO successful"