fix: add authURLParams to urls for external idps (#5404)

add authURL parameters to urls for external IDPs, depended on the contents of the authRequest --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2025-08-12 00:17:32 +00:00 · 2023-03-14 16:42:29 +01:00
parent 1f302fce96
commit f99cf50f69
4 changed files with 71 additions and 7 deletions
--- a/internal/api/ui/login/external_provider_handler.go
+++ b/internal/api/ui/login/external_provider_handler.go
@@ -136,6 +136,7 @@ func (l *Login) handleIDP(w http.ResponseWriter, r *http.Request, authReq *domai
 		return
 	}
 	var provider idp.Provider
+
 	switch identityProvider.Type {
 	case domain.IDPTypeOAuth:
 		provider, err = l.oauthProvider(r.Context(), identityProvider)
@@ -165,7 +166,8 @@ func (l *Login) handleIDP(w http.ResponseWriter, r *http.Request, authReq *domai
 		l.renderLogin(w, r, authReq, err)
 		return
 	}
-	session, err := provider.BeginAuth(r.Context(), authReq.ID, authReq.AgentID)
+	params := l.sessionParamsFromAuthRequest(r.Context(), authReq, identityProvider.ID)
+	session, err := provider.BeginAuth(r.Context(), authReq.ID, params...)
 	if err != nil {
 		l.renderLogin(w, r, authReq, err)
 		return
@@ -801,7 +803,7 @@ func mapExternalUserToLoginUser(externalUser *domain.ExternalUser, mustBeDomain
 	externalIDP := &domain.UserIDPLink{
 		IDPConfigID:    externalUser.IDPConfigID,
 		ExternalUserID: externalUser.ExternalUserID,
-		DisplayName:    externalUser.DisplayName,
+		DisplayName:    externalUser.PreferredUsername,
 	}
 	return human, externalIDP, externalUser.Metadatas
 }
@@ -824,3 +826,53 @@ func mapExternalNotFoundOptionFormDataToLoginUser(formData *externalNotFoundOpti
 		PreferredLanguage: language.Make(formData.Language),
 	}
 }
+
+func (l *Login) sessionParamsFromAuthRequest(ctx context.Context, authReq *domain.AuthRequest, identityProviderID string) []any {
+	params := []any{authReq.AgentID}
+
+	if authReq.UserID != "" && identityProviderID != "" {
+		links, err := l.getUserLinks(ctx, authReq.UserID, identityProviderID)
+		if err != nil {
+			logging.WithFields("authReqID", authReq.ID, "userID", authReq.UserID, "providerID", identityProviderID).WithError(err).Warn("failed to get user links for")
+			return params
+		}
+		if len(links.Links) == 1 {
+			return append(params, keyAndValueToAuthURLOpt("login_hint", links.Links[0].ProvidedUsername))
+		}
+	}
+	if authReq.UserName != "" {
+		return append(params, keyAndValueToAuthURLOpt("login_hint", authReq.UserName))
+	}
+	if authReq.LoginName != "" {
+		return append(params, keyAndValueToAuthURLOpt("login_hint", authReq.LoginName))
+	}
+	if authReq.LoginHint != "" {
+		return append(params, keyAndValueToAuthURLOpt("login_hint", authReq.LoginHint))
+	}
+	return params
+}
+
+func keyAndValueToAuthURLOpt(key, value string) rp.AuthURLOpt {
+	return func() []oauth2.AuthCodeOption {
+		return []oauth2.AuthCodeOption{oauth2.SetAuthURLParam(key, value)}
+	}
+}
+
+func (l *Login) getUserLinks(ctx context.Context, userID, idpID string) (*query.IDPUserLinks, error) {
+	userIDQuery, err := query.NewIDPUserLinksUserIDSearchQuery(userID)
+	if err != nil {
+		return nil, err
+	}
+	idpIDQuery, err := query.NewIDPUserLinkIDPIDSearchQuery(idpID)
+	if err != nil {
+		return nil, err
+	}
+	return l.query.IDPUserLinks(ctx,
+		&query.IDPUserLinksSearchQuery{
+			Queries: []query.SearchQuery{
+				userIDQuery,
+				idpIDQuery,
+			},
+		}, false,
+	)
+}