feat: support auth_type parameter (#3487)

The Facebook OIDC provider supports an auth_type parameter that when set to "reauthenticate" will force the user to reauthenticate (similar to `prompt=login` for other Providers).
ory · Sep 11, 2023 · fc30304 · fc30304
1 parent aa0c36c
commit fc30304
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 0 deletions.
diff --git a/selfservice/strategy/oidc/.schema/link.schema.json b/selfservice/strategy/oidc/.schema/link.schema.json
@@ -33,6 +33,10 @@
           "description": "The prompt specifies whether the Authorization Server prompts the End-User for reauthentication and consent (for example, select_account).",
           "type": "string"
         },
+        "auth_type": {
+          "description": "The `auth_type` parameter specifies the requested authentication features (as a comma-separated list).",
+          "type": "string"
+        },
         "additionalProperties": false
       }
     }

diff --git a/selfservice/strategy/oidc/provider.go b/selfservice/strategy/oidc/provider.go
@@ -76,6 +76,7 @@ func (c *Claims) Validate() error {
 // - `login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session.
 // - `hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`.
 // - `prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`.
+// - `auth_type` (string): The `auth_type` parameter specifies the requested authentication features (as a comma-separated list), e.g. `reauthenticate`.
 func UpstreamParameters(provider Provider, upstreamParameters map[string]string) []oauth2.AuthCodeOption {
 	// validation of upstream parameters are already handled in the `oidc/.schema/link.schema.json` and `oidc/.schema/settings.schema.json` file.
 	// `upstreamParameters` will always only contain allowed parameters based on the configuration.
@@ -85,6 +86,7 @@ func UpstreamParameters(provider Provider, upstreamParameters map[string]string)
 		"login_hint": {},
 		"hd":         {},
 		"prompt":     {},
+		"auth_type":  {},
 	}
 
 	var params []oauth2.AuthCodeOption

diff --git a/selfservice/strategy/oidc/strategy_test.go b/selfservice/strategy/oidc/strategy_test.go
@@ -730,6 +730,7 @@ func TestStrategy(t *testing.T) {
 			fv.Set("upstream_parameters.login_hint", "[email protected]")
 			fv.Set("upstream_parameters.hd", "ory.sh")
 			fv.Set("upstream_parameters.prompt", "select_account")
+			fv.Set("upstream_parameters.auth_type", "reauthenticate")
 
 			res, err := c.PostForm(action, fv)
 			require.NoError(t, err)
@@ -741,6 +742,7 @@ func TestStrategy(t *testing.T) {
 			require.Equal(t, "[email protected]", loc.Query().Get("login_hint"))
 			require.Equal(t, "ory.sh", loc.Query().Get("hd"))
 			require.Equal(t, "select_account", loc.Query().Get("prompt"))
+			require.Equal(t, "reauthenticate", loc.Query().Get("auth_type"))
 		})
 
 		t.Run("case=should pass when logging in", func(t *testing.T) {