oauthlib · thedrow · Apr 3, 2017 · Feb 23, 2017 · Apr 2, 2017
diff --git a/oauthlib/oauth2/rfc6749/grant_types/openid_connect.py b/oauthlib/oauth2/rfc6749/grant_types/openid_connect.py
@@ -275,14 +275,26 @@ def openid_authorization_validator(self, request):
         if not request.scopes or 'openid' not in request.scopes:
             return {}
 
-        # prompt other than 'none' should be handled by the server code that uses oauthlib
-        if request.prompt == 'none' and not request.id_token_hint:
-            msg = "Prompt is set to none yet id_token_hint is missing."
-            raise InvalidRequestError(request=request, description=msg)
+        prompt = request.prompt if request.prompt else []
+        if hasattr(prompt, 'split'):
+            prompt = prompt.strip().split()
+        prompt = set(prompt)
+
+        if 'none' in prompt:
+
+            if len(prompt) > 1:
+                msg = "Prompt none is mutually exclusive with other values."
+                raise InvalidRequestError(request=request, description=msg)
+
+            # prompt other than 'none' should be handled by the server code that
+            # uses oauthlib
+            if not request.id_token_hint:
+                msg = "Prompt is set to none yet id_token_hint is missing."
+                raise InvalidRequestError(request=request, description=msg)
 
-        if request.prompt == 'none':
             if not self.request_validator.validate_silent_login(request):
                 raise LoginRequired(request=request)
+
             if not self.request_validator.validate_silent_authorization(request):
                 raise ConsentRequired(request=request)
 
@@ -293,12 +305,6 @@ def openid_authorization_validator(self, request):
             msg = "Session user does not match client supplied user."
             raise LoginRequired(request=request, description=msg)
 
-        prompt = []
-        if request.prompt:
-            prompt = request.prompt
-            if hasattr(prompt, 'split'):
-                prompt = prompt.split()
-
         request_info = {
             'display': request.display,
             'prompt': prompt,
@@ -335,6 +341,7 @@ def openid_implicit_authorization_validator(self, request):
 
         return {'nonce': request.nonce, 'claims': request.claims}
 
+
 class OpenIDConnectAuthCode(OpenIDConnectBase):
 
     def __init__(self, request_validator=None, **kwargs):

diff --git a/tests/oauth2/rfc6749/endpoints/test_prompt_handling.py b/tests/oauth2/rfc6749/endpoints/test_prompt_handling.py
@@ -7,10 +7,12 @@
 import mock
 
 from ....unittest import TestCase
+from oauthlib.oauth2 import InvalidRequestError
 from oauthlib.oauth2.rfc6749.tokens import BearerToken
 from oauthlib.oauth2.rfc6749.grant_types import OpenIDConnectAuthCode
 from oauthlib.oauth2.rfc6749.endpoints.authorization import AuthorizationEndpoint
 
+
 class OpenIDConnectEndpointTest(TestCase):
 
     def setUp(self):
@@ -48,3 +50,19 @@ def test_authorization_endpoint_handles_prompt(self, generate_token):
         self.assertURLEqual(h['Location'], expected)
         self.assertEqual(b, None)
         self.assertEqual(s, 302)
+
+    def test_prompt_none_exclusiveness(self):
+        """
+        Test that prompt=none can't be used with another prompt value.
+        """
+        params = {
+            'prompt': 'none consent',
+            'state': 'abc',
+            'redirect_uri': 'https://a.b/cb',
+            'response_type': 'code',
+            'client_id': 'abcdef',
+            'scope': 'hello openid'
+        }
+        url = 'http://a.b/path?' + urlencode(params)
+        with self.assertRaises(InvalidRequestError):
+            self.endpoint.validate_authorization_request(url)