Parameter forwarding to OIDC auth URL

[gingerich]

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• This issue affects my Ory Cloud project.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Describe your problem

I'm connecting to a OIDC provider that accepts query params described in the OIDC specification. In particular, I need to pass the login_hint query param to the auth URL. This is a per-request value so it can't be a config value or hardcoded in a OIDC strategy.

For example, Keycloak's auth request supports parameter forwarding to the auth URL of any upstream IdPs. https://www.keycloak.org/docs/latest/securing_apps/#_params_forwarding

For context, the flow I'm trying to achieve is

1. Show form with only email input
2. User submits email and my server-side code checks if they should auth via OIDC based on the email domain
3. If so, user is redirected to the OIDC provider which pre-fills their email address in the login form
4. Otherwise, show password input and submit as usual

Describe your ideal solution

When submitting a login/registration flow where method: 'oidc', I'd like to pass extra arguments that will be forwarded as query params to the auth url of the oidc provider. I think adding a params object to the submit payload containing key/value parameters would be a feasible solution for this.

Workarounds or alternatives

I haven't found any suitable workarounds yet.

Version

v0.8.0-alpha.3

Additional Context

No response

[aeneasr]

That's a valid point! Do you need to set these always from the callee or do you want to set those globally per provider?

[gingerich]

In my case I need to always pass the login_hint value from the callee. But I could see in other cases it may be useful to configure custom auth params globally for a generic provider.

[aeneasr]

Ok, got it. I think we could include parameters which would be set by clients usually (such as login_hint, or locale). Would you be interested in contributing this change? First we should agree on a list of parameters that should be passable.

[gingerich]

I have limited experience with Golang but I'm happy to take a stab at it since the scope is small and seems pretty straightforward. I'll put together a brief proposal before I get started, including a parameter list to agree on.

[github-actions]

Hello contributors!

I am marking this issue as stale as it has not received any engagement from the community or maintainers for a year. That does not imply that the issue has no merit! If you feel strongly about this issue

• open a PR referencing and resolving the issue;
• leave a comment on it and discuss ideas on how you could contribute towards resolving it;
• leave a comment and describe in detail why this issue is critical for your use case;
• open a new issue with updated details and a plan for resolving the issue.

Throughout its lifetime, Ory has received over 10.000 issues and PRs. To sustain that growth, we need to prioritize and focus on issues that are important to the community. A good indication of importance, and thus priority, is activity on a topic.

Unfortunately, burnout has become a topic of concern amongst open-source projects.

It can lead to severe personal and health issues as well as opening catastrophic attack vectors.

The motivation for this automation is to help prioritize issues in the backlog and not ignore, reject, or belittle anyone.

If this issue was marked as stale erroneously you can exempt it by adding the backlog label, assigning someone, or setting a milestone for it.

Thank you for your understanding and to anyone who participated in the conversation! And as written above, please do participate in the conversation if this topic is important to you!

Thank you 🙏✌️

[aeneasr]

@Benehiko is actually working on this atm