From fc303040b71139f512fd1491ce30f80837b940b9 Mon Sep 17 00:00:00 2001 From: Henning Perl Date: Mon, 11 Sep 2023 13:49:41 +0200 Subject: [PATCH] feat: support auth_type parameter (#3487) The Facebook OIDC provider supports an auth_type parameter that when set to "reauthenticate" will force the user to reauthenticate (similar to `prompt=login` for other Providers). --- selfservice/strategy/oidc/.schema/link.schema.json | 4 ++++ selfservice/strategy/oidc/provider.go | 2 ++ selfservice/strategy/oidc/strategy_test.go | 2 ++ 3 files changed, 8 insertions(+) diff --git a/selfservice/strategy/oidc/.schema/link.schema.json b/selfservice/strategy/oidc/.schema/link.schema.json index f813f76eef1a..c8f82c05c568 100644 --- a/selfservice/strategy/oidc/.schema/link.schema.json +++ b/selfservice/strategy/oidc/.schema/link.schema.json @@ -33,6 +33,10 @@ "description": "The prompt specifies whether the Authorization Server prompts the End-User for reauthentication and consent (for example, select_account).", "type": "string" }, + "auth_type": { + "description": "The `auth_type` parameter specifies the requested authentication features (as a comma-separated list).", + "type": "string" + }, "additionalProperties": false } } diff --git a/selfservice/strategy/oidc/provider.go b/selfservice/strategy/oidc/provider.go index ddef8dc10901..6537abbe4d6d 100644 --- a/selfservice/strategy/oidc/provider.go +++ b/selfservice/strategy/oidc/provider.go @@ -76,6 +76,7 @@ func (c *Claims) Validate() error { // - `login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session. // - `hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`. // - `prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`. +// - `auth_type` (string): The `auth_type` parameter specifies the requested authentication features (as a comma-separated list), e.g. `reauthenticate`. func UpstreamParameters(provider Provider, upstreamParameters map[string]string) []oauth2.AuthCodeOption { // validation of upstream parameters are already handled in the `oidc/.schema/link.schema.json` and `oidc/.schema/settings.schema.json` file. // `upstreamParameters` will always only contain allowed parameters based on the configuration. @@ -85,6 +86,7 @@ func UpstreamParameters(provider Provider, upstreamParameters map[string]string) "login_hint": {}, "hd": {}, "prompt": {}, + "auth_type": {}, } var params []oauth2.AuthCodeOption diff --git a/selfservice/strategy/oidc/strategy_test.go b/selfservice/strategy/oidc/strategy_test.go index 0969caa38da5..aaf1f2ba818c 100644 --- a/selfservice/strategy/oidc/strategy_test.go +++ b/selfservice/strategy/oidc/strategy_test.go @@ -730,6 +730,7 @@ func TestStrategy(t *testing.T) { fv.Set("upstream_parameters.login_hint", "oidc-upstream-parameters@ory.sh") fv.Set("upstream_parameters.hd", "ory.sh") fv.Set("upstream_parameters.prompt", "select_account") + fv.Set("upstream_parameters.auth_type", "reauthenticate") res, err := c.PostForm(action, fv) require.NoError(t, err) @@ -741,6 +742,7 @@ func TestStrategy(t *testing.T) { require.Equal(t, "oidc-upstream-parameters@ory.sh", loc.Query().Get("login_hint")) require.Equal(t, "ory.sh", loc.Query().Get("hd")) require.Equal(t, "select_account", loc.Query().Get("prompt")) + require.Equal(t, "reauthenticate", loc.Query().Get("auth_type")) }) t.Run("case=should pass when logging in", func(t *testing.T) {