Skip to content

Commit a435e8d

Browse files
julien-ncjulien-nc
authored
Merge pull request #1176 from nextcloud/fix/1173/optional-prompt-auth-param
Change the behaviour related with the 'prompt' authentication param
2 parents 7816b7c + c410e3e commit a435e8d

2 files changed

Lines changed: 23 additions & 16 deletions

File tree

lib/Controller/LoginController.php

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -270,9 +270,11 @@ public function login(int $providerId, ?string $redirectUrl = null) {
270270
'claims' => json_encode($claims),
271271
'state' => $state,
272272
'nonce' => $nonce,
273-
'prompt' => $oidcConfig['prompt'] ?? 'consent'
274273
];
275274

275+
if (isset($oidcConfig['prompt']) && is_string($oidcConfig['prompt'])) {
276+
$data['prompt'] = $oidcConfig['prompt'];
277+
}
276278

277279
if ($isPkceEnabled) {
278280
$data['code_challenge'] = $this->toCodeChallenge($code_verifier);

lib/Service/TokenService.php

Lines changed: 20 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -255,24 +255,29 @@ public function getExchangedToken(string $targetAudience, array $extraScopes = [
255255
}
256256
}
257257
$this->logger->debug('[TokenService] Exchanging the token: ' . $discovery['token_endpoint']);
258+
$tokenEndpointParams = [
259+
'client_id' => $oidcProvider->getClientId(),
260+
'client_secret' => $clientSecret,
261+
'grant_type' => 'urn:ietf:params:oauth:grant-type:token-exchange',
262+
'subject_token' => $loginToken->getAccessToken(),
263+
'subject_token_type' => 'urn:ietf:params:oauth:token-type:access_token',
264+
// can also be
265+
// urn:ietf:params:oauth:token-type:access_token
266+
// or urn:ietf:params:oauth:token-type:id_token
267+
// this one will get us an access token and refresh token within the response
268+
'requested_token_type' => 'urn:ietf:params:oauth:token-type:refresh_token',
269+
'audience' => $targetAudience,
270+
'scope' => $scope,
271+
];
272+
$oidcConfig = $this->config->getSystemValue('user_oidc', []);
273+
if (isset($oidcConfig['prompt']) && is_string($oidcConfig['prompt'])) {
274+
// none, consent, login and internal for oauth2 passport server
275+
$tokenEndpointParams['prompt'] = $oidcConfig['prompt'];
276+
}
258277
// more in https://www.keycloak.org/securing-apps/token-exchange
259278
$body = $this->clientService->post(
260279
$discovery['token_endpoint'],
261-
[
262-
'client_id' => $oidcProvider->getClientId(),
263-
'client_secret' => $clientSecret,
264-
'grant_type' => 'urn:ietf:params:oauth:grant-type:token-exchange',
265-
'subject_token' => $loginToken->getAccessToken(),
266-
'subject_token_type' => 'urn:ietf:params:oauth:token-type:access_token',
267-
// can also be
268-
// urn:ietf:params:oauth:token-type:access_token
269-
// or urn:ietf:params:oauth:token-type:id_token
270-
// this one will get us an access token and refresh token within the response
271-
'requested_token_type' => 'urn:ietf:params:oauth:token-type:refresh_token',
272-
'audience' => $targetAudience,
273-
'scope' => $scope,
274-
'prompt' => $this->config->getSystemValue('user_oidc.prompt', 'consent') // none,consent,login and internal for oauth2 passport server
275-
]
280+
$tokenEndpointParams,
276281
);
277282
$this->logger->debug('[TokenService] Token exchange request params', [
278283
'client_id' => $oidcProvider->getClientId(),

0 commit comments

Comments
 (0)