# HG changeset patch # User Kim Alvefur # Date 1685996357 -7200 # Node ID d87d0e4a8516f84f39681bee57a7d18ee52ad8ea # Parent a08abbd1045d761a1fe6627247a6d3c0d2637035 mod_http_oauth2: Validate the OpenID 'prompt' parameter Without support for affecting the login and consent procedure, it seems sensible to inform the client that they can't change anything with this parameter. diff -r a08abbd1045d -r d87d0e4a8516 mod_http_oauth2/mod_http_oauth2.lua --- a/mod_http_oauth2/mod_http_oauth2.lua Sat Jun 03 20:04:40 2023 +0200 +++ b/mod_http_oauth2/mod_http_oauth2.lua Mon Jun 05 22:19:17 2023 +0200 @@ -776,6 +776,25 @@ end); end + -- The 'prompt' parameter from OpenID Core + local prompt = set.new(parse_scopes(params.prompt or "select_account login consent")); + if prompt:contains("none") then + -- Client wants no interaction, only confirmation of prior login and + -- consent, but this is not implemented. + return error_response(request, redirect_uri, oauth_error("interaction_required")); + elseif not prompt:contains("select_account") then + -- TODO If the login page is split into account selection followed by login + -- (e.g. password), and then the account selection could be skipped iff the + -- 'login_hint' parameter is present. + return error_response(request, redirect_uri, oauth_error("account_selection_required")); + elseif not prompt:contains("login") then + -- Currently no cookies or such are used, so login is required every time. + return error_response(request, redirect_uri, oauth_error("login_required")); + elseif not prompt:contains("consent") then + -- Are there any circumstances when consent would be implied or assumed? + return error_response(request, redirect_uri, oauth_error("consent_required")); + end + local auth_state = get_auth_state(request); if not auth_state.user then -- Render login page