Changeset

5666:73c3d5bfce3e

mod_http_oauth2: Allow 'login_hint' as a substitute for OIDC 'select_account' prompt If the OIDC 'prompt' parameter does not contain the 'select_account' then it wants us to skip account selection, which means we have to figure which account to authenticate somehow. One way could be have this stored in a cookie from a previous successful login. Another way would be to have the account passed as a hint, which is what we add here.
author Kim Alvefur <zash@zash.se>
date Sat, 09 Sep 2023 21:42:24 +0200
parents 5665:7c105277a9ca
children 5667:23f336cec200
files mod_http_oauth2/mod_http_oauth2.lua
diffstat 1 files changed, 1 insertions(+), 1 deletions(-) [+]
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua	Sun Aug 27 09:49:35 2023 +0200
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Sat Sep 09 21:42:24 2023 +0200
@@ -864,7 +864,7 @@
 		-- Client wants no interaction, only confirmation of prior login and
 		-- consent, but this is not implemented.
 		return error_response(request, redirect_uri, oauth_error("interaction_required"));
-	elseif not prompt:contains("select_account") then
+	elseif not prompt:contains("select_account") and not params.login_hint then
 		-- TODO If the login page is split into account selection followed by login
 		-- (e.g. password), and then the account selection could be skipped iff the
 		-- 'login_hint' parameter is present.