prosody-modules: mod_http_oauth2/mod_http

comparison mod_http_oauth2/mod_http_oauth2.lua @ 5643:73c3d5bfce3e

mod_http_oauth2: Allow 'login_hint' as a substitute for OIDC 'select_account' prompt If the OIDC 'prompt' parameter does not contain the 'select_account' then it wants us to skip account selection, which means we have to figure which account to authenticate somehow. One way could be have this stored in a cookie from a previous successful login. Another way would be to have the account passed as a hint, which is what we add here.

author	Kim Alvefur <zash@zash.se>
date	Sat, 09 Sep 2023 21:42:24 +0200
parents	7c105277a9ca
children	d67980d9e12d

comparison

equal deleted inserted replaced

-:7c105277a9ca
+:73c3d5bfce3e
 	local prompt = set.new(parse_scopes(params.prompt or "select_account login consent"));
 	if prompt:contains("none") then
 		-- Client wants no interaction, only confirmation of prior login and
 		-- consent, but this is not implemented.
 		return error_response(request, redirect_uri, oauth_error("interaction_required"));
-	elseif not prompt:contains("select_account") then
+	elseif not prompt:contains("select_account") and not params.login_hint then
 		-- TODO If the login page is split into account selection followed by login
 		-- (e.g. password), and then the account selection could be skipped iff the
 		-- 'login_hint' parameter is present.
 		return error_response(request, redirect_uri, oauth_error("account_selection_required"));
 	elseif not prompt:contains("login") then

Mercurial > prosody-modules

comparison mod_http_oauth2/mod_http_oauth2.lua @ 5643:73c3d5bfce3e