# HG changeset patch # User Kim Alvefur # Date 1694288544 -7200 # Node ID 73c3d5bfce3e6b4202e8d9d2f8a4a2244910a069 # Parent 7c105277a9ca30999708515c521967c0be1f1460 mod_http_oauth2: Allow 'login_hint' as a substitute for OIDC 'select_account' prompt If the OIDC 'prompt' parameter does not contain the 'select_account' then it wants us to skip account selection, which means we have to figure which account to authenticate somehow. One way could be have this stored in a cookie from a previous successful login. Another way would be to have the account passed as a hint, which is what we add here. diff -r 7c105277a9ca -r 73c3d5bfce3e mod_http_oauth2/mod_http_oauth2.lua --- a/mod_http_oauth2/mod_http_oauth2.lua Sun Aug 27 09:49:35 2023 +0200 +++ b/mod_http_oauth2/mod_http_oauth2.lua Sat Sep 09 21:42:24 2023 +0200 @@ -864,7 +864,7 @@ -- Client wants no interaction, only confirmation of prior login and -- consent, but this is not implemented. return error_response(request, redirect_uri, oauth_error("interaction_required")); - elseif not prompt:contains("select_account") then + elseif not prompt:contains("select_account") and not params.login_hint then -- TODO If the login page is split into account selection followed by login -- (e.g. password), and then the account selection could be skipped iff the -- 'login_hint' parameter is present.