fix: improve login_hint usage on IDPs (#6899)

* only set prompt if no login_hint is set * update to current state and cleanup
2025-08-12 04:07:31 +00:00 · 2023-11-13 10:25:26 +02:00
parent 42a2c0093d
commit 0386fe7f96
8 changed files with 85 additions and 59 deletions
--- a/internal/idp/providers/oauth/oauth2.go
+++ b/internal/idp/providers/oauth/oauth2.go
@@ -87,17 +87,28 @@ func (p *Provider) Name() string {

 // BeginAuth implements the [idp.Provider] interface.
 // It will create a [Session] with an OAuth2.0 authorization request as AuthURL.
-func (p *Provider) BeginAuth(ctx context.Context, state string, params ...any) (idp.Session, error) {
-	opts := []rp.AuthURLOpt{rp.WithPrompt(oidc.PromptSelectAccount)}
+func (p *Provider) BeginAuth(ctx context.Context, state string, params ...idp.Parameter) (idp.Session, error) {
+	opts := make([]rp.AuthURLOpt, 0)
+	var loginHintSet bool
 	for _, param := range params {
-		if option, ok := param.(rp.AuthURLOpt); ok {
-			opts = append(opts, option)
+		if username, ok := param.(idp.LoginHintParam); ok {
+			loginHintSet = true
+			opts = append(opts, loginHint(string(username)))
 		}
 	}
+	if !loginHintSet {
+		opts = append(opts, rp.WithPrompt(oidc.PromptSelectAccount))
+	}
 	url := rp.AuthURL(state, p.RelyingParty, opts...)
 	return &Session{AuthURL: url, Provider: p}, nil
 }

+func loginHint(hint string) rp.AuthURLOpt {
+	return func() []oauth2.AuthCodeOption {
+		return []oauth2.AuthCodeOption{oauth2.SetAuthURLParam("login_hint", hint)}
+	}
+}
+
 // IsLinkingAllowed implements the [idp.Provider] interface.
 func (p *Provider) IsLinkingAllowed() bool {
 	return p.isLinkingAllowed