fix: fail on more prompt values next to none

fix: use slice for oidc prompt parsing and checking
feat: allow for prompt to skip authorize screen
2026-06-19 18:00:22 +00:00 · 2026-06-19 13:50:24 +03:00 · 2026-06-19 13:42:09 +03:00 · 2026-06-19 13:32:46 +03:00 · 2026-06-19 12:59:08 +03:00 · 2026-06-19 12:45:07 +03:00
6 changed files with 127 additions and 29 deletions
@@ -6,6 +6,7 @@ type ScreenParams = {
  oidc_ticket?: string;
  oidc_scope?: string;
  oidc_name?: string;
+  oidc_prompt?: "none" | "login";
 };

 const zodScreenParams = z.object({
@@ -14,6 +15,7 @@ const zodScreenParams = z.object({
  oidc_ticket: z.string().optional(),
  oidc_scope: z.string().optional(),
  oidc_name: z.string().optional(),
+  oidc_prompt: z.enum(["none", "login"]).optional(),
 });

 export function useScreenParams(params: URLSearchParams): ScreenParams {
@@ -25,6 +25,7 @@ import {
  recompileScreenParams,
  useScreenParams,
 } from "@/lib/hooks/screen-params";
+import { useEffect } from "react";

 type Scope = {
  id: string;
@@ -90,7 +91,15 @@ export const AuthorizePage = () => {
  const isOidc = screenParams.login_for === "oidc";
  const compiledParams = recompileScreenParams(screenParams);

-  const authorizeMutation = useMutation({
+  // TODO: maybe a better way to do this
+  const shouldAutoAuthorize =
+    auth.authenticated &&
+    isOidc &&
+    screenParams.oidc_ticket !== undefined &&
+    screenParams.oidc_scope !== undefined &&
+    screenParams.oidc_prompt === "none";
+
+  const { mutate: authorizeMutate, isPending: authorizePending } = useMutation({
    mutationFn: () => {
      return axios.post("/api/oidc/authorize-complete", {
        ticket: screenParams.oidc_ticket,
@@ -110,6 +119,12 @@ export const AuthorizePage = () => {
    },
  });

+  useEffect(() => {
+    if (shouldAutoAuthorize) {
+      authorizeMutate();
+    }
+  }, [shouldAutoAuthorize, authorizeMutate]);
+
  if (!isOidc || !screenParams.oidc_ticket || !screenParams.oidc_scope) {
    return (
      <Navigate
@@ -119,7 +134,7 @@ export const AuthorizePage = () => {
    );
  }

-  if (!auth.authenticated) {
+  if (!auth.authenticated || screenParams.oidc_prompt === "login") {
    return <Navigate to={`/login${compiledParams}`} replace />;
  }

@@ -168,14 +183,15 @@ export const AuthorizePage = () => {
      )}
      <CardFooter className="flex flex-col items-stretch gap-3">
        <Button
-          onClick={() => authorizeMutation.mutate()}
-          loading={authorizeMutation.isPending}
+          onClick={() => authorizeMutate()}
+          loading={authorizePending}
+          disabled={shouldAutoAuthorize}
        >
          {t("authorizeTitle")}
        </Button>
        <Button
          onClick={() => navigate(`/logout${compiledParams}`)}
-          disabled={authorizeMutation.isPending}
+          disabled={authorizePending || shouldAutoAuthorize}
          variant="outline"
        >
          {t("cancelTitle")}
@@ -63,7 +63,10 @@ export const LoginPage = () => {

  const searchParams = new URLSearchParams(search);
  const screenParams = useScreenParams(searchParams);
-  const compiledParams = recompileScreenParams(screenParams);
+  const compiledParams = recompileScreenParams({
+    ...screenParams,
+    oidc_prompt: undefined,
+  });
  const loginForUrl = useLoginFor({
    login_for: screenParams.login_for,
    compiledParams,
@@ -196,7 +199,7 @@ export const LoginPage = () => {
    };
  }, [redirectTimer, redirectButtonTimer]);

-  if (auth.authenticated) {
+  if (auth.authenticated && screenParams.oidc_prompt !== "login") {
    return <Navigate to={loginForUrl} replace />;
  }

@@ -69,10 +69,11 @@ type ClientCredentials struct {
 }

 type AuthorizeScreenParams struct {
-	LoginFor   FrontendLoginFor `url:"login_for"`
-	OIDCTicket string           `url:"oidc_ticket"`
-	OIDCScope  string           `url:"oidc_scope"`
-	OIDCName   string           `url:"oidc_name"`
+	LoginFor   FrontendLoginFor   `url:"login_for"`
+	OIDCTicket string             `url:"oidc_ticket"`
+	OIDCScope  string             `url:"oidc_scope"`
+	OIDCName   string             `url:"oidc_name"`
+	OIDCPrompt service.OIDCPrompt `url:"oidc_prompt,omitempty"`
 }

 type AuthorizeCompleteRequest struct {
@@ -167,20 +168,65 @@ func (controller *OIDCController) authorize(c *gin.Context) {
 		return
 	}

+	prompts := controller.oidc.GetPrompt(req.Prompt)
+
+	if slices.Contains(prompts, service.OIDCPromptNone) && len(prompts) > 1 {
+		controller.authorizeError(c, authorizeErrorParams{
+			err:           errors.New("invalid prompt"),
+			reason:        "Invalid prompt",
+			reasonPublic:  "The prompt parameters are invalid",
+			callback:      req.RedirectURI,
+			callbackError: "invalid_request",
+			state:         req.State,
+		})
+		return
+	}
+
+	userContext, err := new(model.UserContext).NewFromGin(c)
+
+	if err != nil {
+		if !errors.Is(err, model.ErrUserContextNotFound) {
+			controller.log.App.Warn().Err(err).Msg("Failed to get user context")
+		}
+	}
+
+	if (err != nil || !userContext.Authenticated) && slices.Contains(prompts, service.OIDCPromptNone) {
+		controller.authorizeError(c, authorizeErrorParams{
+			err:           errors.New("user not logged in"),
+			reason:        "User not logged in",
+			reasonPublic:  "The user is not logged in",
+			callback:      req.RedirectURI,
+			callbackError: "login_required",
+			state:         req.State,
+		})
+		return
+	}
+
 	ticket := controller.oidc.CreateAuthorizeRequestTicket(*req)

-	queries, err := query.Values(AuthorizeScreenParams{
+	values := AuthorizeScreenParams{
 		LoginFor:   FrontendLoginForOIDC,
 		OIDCTicket: ticket,
 		OIDCScope:  req.Scope,
 		OIDCName:   client.Name,
-	})
+	}
+
+	if slices.Contains(prompts, service.OIDCPromptLogin) {
+		values.OIDCPrompt = service.OIDCPromptLogin
+	} else if slices.Contains(prompts, service.OIDCPromptNone) {
+		values.OIDCPrompt = service.OIDCPromptNone
+	}
+
+	queries, err := query.Values(values)

 	if err != nil {
 		controller.authorizeError(c, authorizeErrorParams{
-			err:          err,
-			reason:       "Failed to compile authorize queries",
-			reasonPublic: "An internal error occured while processing your request",
+			err:           err,
+			reason:        "Failed to compile authorize queries",
+			reasonPublic:  "An internal error occured while processing your request",
+			callback:      req.RedirectURI,
+			callbackError: "server_error",
+			state:         req.State,
 		})
 		return
 	}
@@ -208,16 +254,12 @@ func (controller *OIDCController) authorizeComplete(c *gin.Context) {
 	userContext, err := new(model.UserContext).NewFromGin(c)

 	if err != nil {
-		controller.authorizeError(c, authorizeErrorParams{
-			err:          err,
-			reason:       "Failed to get user context",
-			reasonPublic: "User is not logged in or the session is invalid",
-			json:         true,
-		})
-		return
+		if !errors.Is(err, model.ErrUserContextNotFound) {
+			controller.log.App.Warn().Err(err).Msg("Failed to get user context")
+		}
 	}

-	if !userContext.Authenticated {
+	if err != nil || !userContext.Authenticated {
 		controller.authorizeError(c, authorizeErrorParams{
 			err:          errors.New("err user not logged in"),
 			reason:       "User not logged in",
@@ -425,7 +467,7 @@ func (controller *OIDCController) Token(c *gin.Context) {
 			return
 		}

-		tokenRes, err := controller.oidc.GenerateAccessToken(c, client, *entry)
+		tokenRes, err := controller.oidc.GenerateAccessToken(c, client, *entry, entry.AuthTime)

 		if err != nil {
 			controller.log.App.Error().Err(err).Msg("Failed to generate access token")
@@ -25,6 +25,7 @@ const (
 type UserContext struct {
 	Authenticated bool
 	Provider      ProviderType
+	AuthTime      int64
 	Local         *LocalContext
 	OAuth         *OAuthContext
 	LDAP          *LDAPContext
@@ -110,6 +111,7 @@ func (c *UserContext) NewFromGin(ginctx *gin.Context) (*UserContext, error) {
 func (c *UserContext) NewFromSession(session *repository.Session) (*UserContext, error) {
 	*c = UserContext{
 		Authenticated: !session.TotpPending,
+		AuthTime:      session.CreatedAt,
 	}

 	switch session.Provider {
@@ -44,6 +44,15 @@ var (
 	ErrInvalidClient = errors.New("invalid_client")
 )

+type OIDCPrompt string
+
+const (
+	OIDCPromptLogin OIDCPrompt = "login"
+	OIDCPromptNone  OIDCPrompt = "none"
+)
+
+var SupportedPrompts = []string{string(OIDCPromptLogin), string(OIDCPromptNone)}
+
 // This is not spec-compliant, the ID token SHOULD NOT contain user info claims but,
 // it has became a "standard" and apps are looking for the claims in the ID tokens
 // instead of calling the userinfo endpoint, so we include them in the ID token as well
@@ -54,6 +63,7 @@ type ClaimSet struct {
 	Sub               string   `json:"sub"`
 	Iat               int64    `json:"iat"`
 	Exp               int64    `json:"exp"`
+	AuthTime          int64    `json:"auth_time,omitempty"`
 	Name              string   `json:"name,omitempty"`
 	GivenName         string   `json:"given_name,omitempty"`
 	FamilyName        string   `json:"family_name,omitempty"`
@@ -117,6 +127,7 @@ type AuthorizeRequest struct {
 	Nonce               string `form:"nonce" json:"nonce" url:"nonce"`
 	CodeChallenge       string `form:"code_challenge" json:"code_challenge" url:"code_challenge"`
 	CodeChallengeMethod string `form:"code_challenge_method" json:"code_challenge_method" url:"code_challenge_method"`
+	Prompt              string `form:"prompt" json:"prompt" url:"prompt"`
 }

 type AuthorizeCodeEntry struct {
@@ -127,6 +138,7 @@ type AuthorizeCodeEntry struct {
 	Nonce         string
 	CodeChallenge string
 	Userinfo      UserinfoResponse
+	AuthTime      int64
 }

 type UsedCodeEntry struct {
@@ -423,6 +435,7 @@ func (service *OIDCService) CreateCode(req AuthorizeRequest, userContext model.U
 		ClientID:    req.ClientID,
 		Nonce:       req.Nonce,
 		Userinfo:    service.userinfoFromContext(userContext, sub),
+		AuthTime:    userContext.AuthTime,
 	}

 	if req.CodeChallenge != "" {
@@ -512,7 +525,7 @@ func (service *OIDCService) GetCodeEntry(codeHash string, clientId string) (*Aut
 	return &entry, true
 }

-func (service *OIDCService) generateIDToken(client model.OIDCClientConfig, user UserinfoResponse, scope string, nonce string) (string, error) {
+func (service *OIDCService) generateIDToken(client model.OIDCClientConfig, user UserinfoResponse, scope string, nonce string, auth_time int64) (string, error) {
 	createdAt := time.Now().Unix()
 	expiresAt := time.Now().Add(time.Duration(service.config.Auth.SessionExpiry) * time.Second).Unix()

@@ -549,6 +562,7 @@ func (service *OIDCService) generateIDToken(client model.OIDCClientConfig, user
 		Sub:               user.Sub,
 		Iat:               createdAt,
 		Exp:               expiresAt,
+		AuthTime:          auth_time,
 		Name:              userInfo.Name,
 		Email:             userInfo.Email,
 		EmailVerified:     userInfo.EmailVerified,
@@ -578,8 +592,8 @@ func (service *OIDCService) generateIDToken(client model.OIDCClientConfig, user
 	return token, nil
 }

-func (service *OIDCService) GenerateAccessToken(ctx context.Context, client model.OIDCClientConfig, codeEntry AuthorizeCodeEntry) (*TokenResponse, error) {
-	idToken, err := service.generateIDToken(client, codeEntry.Userinfo, codeEntry.Scope, codeEntry.Nonce)
+func (service *OIDCService) GenerateAccessToken(ctx context.Context, client model.OIDCClientConfig, codeEntry AuthorizeCodeEntry, authTime int64) (*TokenResponse, error) {
+	idToken, err := service.generateIDToken(client, codeEntry.Userinfo, codeEntry.Scope, codeEntry.Nonce, authTime)

 	if err != nil {
 		return nil, err
@@ -660,7 +674,7 @@ func (service *OIDCService) RefreshAccessToken(ctx context.Context, refreshToken

 	idToken, err := service.generateIDToken(model.OIDCClientConfig{
 		ClientID: entry.ClientID,
-	}, userInfo, entry.Scope, entry.Nonce)
+	}, userInfo, entry.Scope, entry.Nonce, 0) // auth_time is not available during refresh, so we set it to 0

 	if err != nil {
 		return nil, err
@@ -929,5 +943,24 @@ func (service *OIDCService) DecodeAuthorizeJWT(tokenString string) (*AuthorizeRe
 		Nonce:               get("nonce"),
 		CodeChallenge:       get("code_challenge"),
 		CodeChallengeMethod: get("code_challenge_method"),
+		Prompt:              get("prompt"),
 	}, nil
 }
+
+func (service *OIDCService) GetPrompt(prompt string) []OIDCPrompt {
+	if prompt == "" {
+		return []OIDCPrompt{}
+	}
+
+	parsedPromps := make([]OIDCPrompt, 0)
+	prompts := strings.SplitSeq(prompt, " ")
+
+	for p := range prompts {
+		if !slices.Contains(SupportedPrompts, p) {
+			continue
+		}
+		parsedPromps = append(parsedPromps, OIDCPrompt(p))
+	}
+
+	return parsedPromps
+}
Author	SHA1	Message	Date
Stavros	dcec803140	fix: fail on more prompt values next to none	2026-06-19 13:50:24 +03:00
Stavros	b6f6303d1f	fix: use slice for oidc prompt parsing and checking	2026-06-19 13:42:09 +03:00
Stavros	32e899e77e	feat: allow for prompt to skip authorize screen	2026-06-19 13:32:46 +03:00
Stavros	80bb4f1bc8	feat: support for prompt=none	2026-06-19 12:59:08 +03:00
Stavros	dbc9b1eb5c	feat: support for prompt=login in oidc flow	2026-06-19 12:45:07 +03:00