# HG changeset patch
# User Kim Alvefur <zash@zash.se>
# Date 1694288544 -7200
# Node ID 73c3d5bfce3e6b4202e8d9d2f8a4a2244910a069
# Parent  7c105277a9ca30999708515c521967c0be1f1460
mod_http_oauth2: Allow 'login_hint' as a substitute for OIDC 'select_account' prompt

If the OIDC 'prompt' parameter does not contain the 'select_account'
then it wants us to skip account selection, which means we have to
figure which account to authenticate somehow. One way could be have
this stored in a cookie from a previous successful login. Another way
would be to have the account passed as a hint, which is what we add
here.

diff -r 7c105277a9ca -r 73c3d5bfce3e mod_http_oauth2/mod_http_oauth2.lua
--- a/mod_http_oauth2/mod_http_oauth2.lua	Sun Aug 27 09:49:35 2023 +0200
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Sat Sep 09 21:42:24 2023 +0200
@@ -864,7 +864,7 @@
 		-- Client wants no interaction, only confirmation of prior login and
 		-- consent, but this is not implemented.
 		return error_response(request, redirect_uri, oauth_error("interaction_required"));
-	elseif not prompt:contains("select_account") then
+	elseif not prompt:contains("select_account") and not params.login_hint then
 		-- TODO If the login page is split into account selection followed by login
 		-- (e.g. password), and then the account selection could be skipped iff the
 		-- 'login_hint' parameter is present.