Merge pull request #1656 from taxibeat/oidc-prompt-type

Make prompt configurable for oidc offline_access
dexidp · Feb 28, 2020 · 30ea963 · 30ea963
2 parents b7cf701 + d33a76f
commit 30ea963
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 1 deletion.
diff --git a/Documentation/connectors/oidc.md b/Documentation/connectors/oidc.md
@@ -83,6 +83,11 @@ connectors:
     # The set claim is used as user name.
     # Default: name
     # userNameKey: nickname
+
+    # For offline_access, the prompt parameter is set by default to "prompt=consent". 
+    # However this is not supported by all OIDC providers, some of them support different
+    # value for prompt, like "prompt=login" or "prompt=none"
+    # promptType: consent
 ```
 
 [oidc-doc]: openid-connect.md

diff --git a/connector/oidc/oidc.go b/connector/oidc/oidc.go
@@ -54,6 +54,9 @@ type Config struct {
 
 	// Configurable key which contains the user name claim
 	UserNameKey string `json:"userNameKey"`
+
+	// PromptType will be used fot the prompt parameter (when offline_access, by default prompt=consent)
+	PromptType string `json:"promptType"`
 }
 
 // Domains that don't support basic auth. golang.org/x/oauth2 has an internal
@@ -113,6 +116,11 @@ func (c *Config) Open(id string, logger log.Logger) (conn connector.Connector, e
 		scopes = append(scopes, "profile", "email")
 	}
 
+	// PromptType should be "consent" by default, if not set
+	if c.PromptType == "" {
+		c.PromptType = "consent"
+	}
+
 	clientID := c.ClientID
 	return &oidcConnector{
 		provider:    provider,
@@ -135,6 +143,7 @@ func (c *Config) Open(id string, logger log.Logger) (conn connector.Connector, e
 		getUserInfo:               c.GetUserInfo,
 		userIDKey:                 c.UserIDKey,
 		userNameKey:               c.UserNameKey,
+		promptType:                c.PromptType,
 	}, nil
 }
 
@@ -156,6 +165,7 @@ type oidcConnector struct {
 	getUserInfo               bool
 	userIDKey                 string
 	userNameKey               string
+	promptType                string
 }
 
 func (c *oidcConnector) Close() error {
@@ -178,7 +188,7 @@ func (c *oidcConnector) LoginURL(s connector.Scopes, callbackURL, state string)
 	}
 
 	if s.OfflineAccess {
-		opts = append(opts, oauth2.AccessTypeOffline, oauth2.SetAuthURLParam("prompt", "consent"))
+		opts = append(opts, oauth2.AccessTypeOffline, oauth2.SetAuthURLParam("prompt", c.promptType))
 	}
 	return c.oauth2Config.AuthCodeURL(state, opts...), nil
 }