From 7e5eef390b4551cc9bcfdf79d4718bb4b128faaf Mon Sep 17 00:00:00 2001
From: Joe DeCock <josephdecock@gmail.com>
Date: Fri, 31 May 2024 14:10:25 -0500
Subject: [PATCH] Respect processed prompt and max age when using par

---
 .../Results/AuthorizeInteractionPageResult.cs       | 10 ++++++++++
 .../Validation/Default/RequestObjectValidator.cs    | 13 +++++++++++++
 2 files changed, 23 insertions(+)

diff --git a/src/IdentityServer/Endpoints/Results/AuthorizeInteractionPageResult.cs b/src/IdentityServer/Endpoints/Results/AuthorizeInteractionPageResult.cs
index 0ea7df81e..0b6c7ef6d 100644
--- a/src/IdentityServer/Endpoints/Results/AuthorizeInteractionPageResult.cs
+++ b/src/IdentityServer/Endpoints/Results/AuthorizeInteractionPageResult.cs
@@ -91,6 +91,16 @@ public async Task WriteHttpResponse(AuthorizeInteractionPageResult result, HttpC
                 returnUrl = returnUrl
                     .AddQueryString(OidcConstants.AuthorizeRequest.RequestUri, requestUri)
                     .AddQueryString(OidcConstants.AuthorizeRequest.ClientId, result.Request.ClientId);
+                var processedPrompt = result.Request.Raw[Constants.ProcessedPrompt];
+                if (processedPrompt != null)
+                {
+                    returnUrl = returnUrl.AddQueryString(Constants.ProcessedPrompt, processedPrompt);
+                }
+                var processedMaxAge = result.Request.Raw[Constants.ProcessedMaxAge];
+                if (processedMaxAge != null)
+                {
+                    returnUrl = returnUrl.AddQueryString(Constants.ProcessedMaxAge, processedMaxAge);
+                }
             } 
             else
             {
diff --git a/src/IdentityServer/Validation/Default/RequestObjectValidator.cs b/src/IdentityServer/Validation/Default/RequestObjectValidator.cs
index f87ed9853..02c01665f 100644
--- a/src/IdentityServer/Validation/Default/RequestObjectValidator.cs
+++ b/src/IdentityServer/Validation/Default/RequestObjectValidator.cs
@@ -150,7 +150,20 @@ private static bool IsParRequestUri(string requestUri)
         // Record the reference value, so we can know that PAR did happen
         request.PushedAuthorizationReferenceValue = GetReferenceValue(request);
         // Copy the PAR into the raw request so that validation will use the pushed parameters
+        // But keep the query parameters we add that indicate that we have processed 
+        // prompt and max_age, as those are not pushed
+        var processedPrompt = request.Raw[Constants.ProcessedPrompt];
+        var processedMaxAge = request.Raw[Constants.ProcessedMaxAge];
+
         request.Raw = pushedAuthorizationRequest.PushedParameters;
+        if (processedPrompt != null)
+        {
+            request.Raw[Constants.ProcessedPrompt] = processedPrompt;
+        }
+        if (processedMaxAge != null)
+        {
+            request.Raw[Constants.ProcessedMaxAge] = processedMaxAge;
+        }
 
         var bindingError = ValidatePushedAuthorizationBindingToClient(pushedAuthorizationRequest, request);
         if (bindingError != null)