feat: handle 'prompt' upstream parameter during OIDC flow

ory · May 22, 2023 · 0a0661c · 0a0661c
1 parent 5535fcb
commit 0a0661c
Show file tree

Hide file tree

Showing 8 changed files with 21 additions and 2 deletions.
diff --git a/selfservice/strategy/oidc/.schema/link.schema.json b/selfservice/strategy/oidc/.schema/link.schema.json
@@ -29,8 +29,12 @@
           "description": "The hd (hosted domain) parameter streamlines the login process for G Suite hosted accounts. By including the domain of the G Suite user (for example, mycollege.edu), you can indicate that the account selection UI should be optimized for accounts at that domain.",
           "type": "string"
         },
+        "prompt": {
+          "description": "The prompt specifies whether the Authorization Server prompts the End-User for reauthentication and consent (for example, select_account).",
+          "type": "string"
+        },
         "additionalProperties": false
       }
     }
   }
-}
+}
diff --git a/selfservice/strategy/oidc/.schema/settings.schema.json b/selfservice/strategy/oidc/.schema/settings.schema.json
@@ -27,8 +27,12 @@
           "description": "The hd (hosted domain) parameter streamlines the login process for G Suite hosted accounts. By including the domain of the G Suite user (for example, mycollege.edu), you can indicate that the account selection UI should be optimized for accounts at that domain.",
           "type": "string"
         },
+        "prompt": {
+          "description": "The prompt specifies whether the Authorization Server prompts the End-User for reauthentication and consent (for example, select_account).",
+          "type": "string"
+        },
         "additionalProperties": false
       }
     }
   }
-}
+}
diff --git a/selfservice/strategy/oidc/provider.go b/selfservice/strategy/oidc/provider.go
@@ -75,6 +75,7 @@ func (c *Claims) Validate() error {
 // Allowed parameters are:
 // - `login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session.
 // - `hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`.
+// - `prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`.
 func UpstreamParameters(provider Provider, upstreamParameters map[string]string) []oauth2.AuthCodeOption {
 	// validation of upstream parameters are already handled in the `oidc/.schema/link.schema.json` and `oidc/.schema/settings.schema.json` file.
 	// `upstreamParameters` will always only contain allowed parameters based on the configuration.
@@ -83,6 +84,7 @@ func UpstreamParameters(provider Provider, upstreamParameters map[string]string)
 	allowedParameters := map[string]struct{}{
 		"login_hint": {},
 		"hd":         {},
+		"prompt":     {},
 	}
 
 	var params []oauth2.AuthCodeOption

diff --git a/selfservice/strategy/oidc/strategy_login.go b/selfservice/strategy/oidc/strategy_login.go
@@ -77,6 +77,7 @@ type UpdateLoginFlowWithOidcMethod struct {
 	// Supported parameters are:
 	// - `login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session.
 	// - `hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`.
+	// - `prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`.
 	//
 	// required: false
 	UpstreamParameters json.RawMessage `json:"upstream_parameters"`

diff --git a/selfservice/strategy/oidc/strategy_registration.go b/selfservice/strategy/oidc/strategy_registration.go
@@ -84,6 +84,7 @@ type UpdateRegistrationFlowWithOidcMethod struct {
 	// Supported parameters are:
 	// - `login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session.
 	// - `hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`.
+	// - `prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`.
 	//
 	// required: false
 	UpstreamParameters json.RawMessage `json:"upstream_parameters"`

diff --git a/selfservice/strategy/oidc/strategy_settings.go b/selfservice/strategy/oidc/strategy_settings.go
@@ -227,6 +227,7 @@ type updateSettingsFlowWithOidcMethod struct {
 	// Supported parameters are:
 	// - `login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session.
 	// - `hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`.
+	// - `prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`.
 	//
 	// required: false
 	UpstreamParameters json.RawMessage `json:"upstream_parameters"`

diff --git a/selfservice/strategy/oidc/strategy_settings_test.go b/selfservice/strategy/oidc/strategy_settings_test.go
@@ -485,6 +485,7 @@ func TestSettingsStrategy(t *testing.T) {
 				values.Set("link", provider)
 				values.Set("upstream_parameters.login_hint", "foo@bar.com")
 				values.Set("upstream_parameters.hd", "bar.com")
+				values.Set("upstream_parameters.prompt", "consent")
 
 				resp, err := c.PostForm(action(req), *values)
 				require.NoError(t, err)
@@ -495,6 +496,7 @@ func TestSettingsStrategy(t *testing.T) {
 
 				require.EqualValues(t, "foo@bar.com", loc.Query().Get("login_hint"))
 				require.EqualValues(t, "bar.com", loc.Query().Get("hd"))
+				require.EqualValues(t, "consent", loc.Query().Get("prompt"))
 			})
 
 			t.Run("case=invalid query parameters should be ignored", func(t *testing.T) {

diff --git a/selfservice/strategy/oidc/strategy_test.go b/selfservice/strategy/oidc/strategy_test.go
@@ -671,6 +671,7 @@ func TestStrategy(t *testing.T) {
 			fv.Set("provider", "valid")
 			fv.Set("upstream_parameters.login_hint", "oidc-upstream-parameters@ory.sh")
 			fv.Set("upstream_parameters.hd", "ory.sh")
+			fv.Set("upstream_parameters.prompt", "select_account")
 
 			res, err := c.PostForm(action, fv)
 			require.NoError(t, err)
@@ -681,6 +682,7 @@ func TestStrategy(t *testing.T) {
 
 			require.Equal(t, "oidc-upstream-parameters@ory.sh", loc.Query().Get("login_hint"))
 			require.Equal(t, "ory.sh", loc.Query().Get("hd"))
+			require.Equal(t, "select_account", loc.Query().Get("prompt"))
 		})
 
 		t.Run("case=should pass when logging in", func(t *testing.T) {
@@ -693,6 +695,7 @@ func TestStrategy(t *testing.T) {
 			fv.Set("provider", "valid")
 			fv.Set("upstream_parameters.login_hint", "oidc-upstream-parameters@ory.sh")
 			fv.Set("upstream_parameters.hd", "ory.sh")
+			fv.Set("upstream_parameters.prompt", "select_account")
 
 			res, err := c.PostForm(action, fv)
 			require.NoError(t, err)
@@ -703,6 +706,7 @@ func TestStrategy(t *testing.T) {
 
 			require.Equal(t, "oidc-upstream-parameters@ory.sh", loc.Query().Get("login_hint"))
 			require.Equal(t, "ory.sh", loc.Query().Get("hd"))
+			require.Equal(t, "select_account", loc.Query().Get("prompt"))
 		})
 
 		t.Run("case=should ignore invalid parameters when logging in", func(t *testing.T) {