# HG changeset patch
# User Kim Alvefur <zash@zash.se>
# Date 1685996357 -7200
# Node ID d87d0e4a8516f84f39681bee57a7d18ee52ad8ea
# Parent  a08abbd1045d761a1fe6627247a6d3c0d2637035
mod_http_oauth2: Validate the OpenID 'prompt' parameter

Without support for affecting the login and consent procedure, it seems
sensible to inform the client that they can't change anything with this
parameter.

diff -r a08abbd1045d -r d87d0e4a8516 mod_http_oauth2/mod_http_oauth2.lua
--- a/mod_http_oauth2/mod_http_oauth2.lua	Sat Jun 03 20:04:40 2023 +0200
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Mon Jun 05 22:19:17 2023 +0200
@@ -776,6 +776,25 @@
 		end);
 	end
 
+	-- The 'prompt' parameter from OpenID Core
+	local prompt = set.new(parse_scopes(params.prompt or "select_account login consent"));
+	if prompt:contains("none") then
+		-- Client wants no interaction, only confirmation of prior login and
+		-- consent, but this is not implemented.
+		return error_response(request, redirect_uri, oauth_error("interaction_required"));
+	elseif not prompt:contains("select_account") then
+		-- TODO If the login page is split into account selection followed by login
+		-- (e.g. password), and then the account selection could be skipped iff the
+		-- 'login_hint' parameter is present.
+		return error_response(request, redirect_uri, oauth_error("account_selection_required"));
+	elseif not prompt:contains("login") then
+		-- Currently no cookies or such are used, so login is required every time.
+		return error_response(request, redirect_uri, oauth_error("login_required"));
+	elseif not prompt:contains("consent") then
+		-- Are there any circumstances when consent would be implied or assumed?
+		return error_response(request, redirect_uri, oauth_error("consent_required"));
+	end
+
 	local auth_state = get_auth_state(request);
 	if not auth_state.user then
 		-- Render login page