Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adds support for OIDC 'prompt=none' parameter value #1351

Closed
wants to merge 1 commit into from
Closed

Adds support for OIDC 'prompt=none' parameter value #1351

wants to merge 1 commit into from

Conversation

kuzjka
Copy link

@kuzjka kuzjka commented Sep 3, 2023

This change provides limited support for OIDC prompt parameter for authorization code requests. If the request contains prompt parameter and it's value is none, authorization server does not redirect user to login/consent page. Instead, OAuth2 redirects back to client app with OIDC error codes login_required or consent_required.

Fixes gh-501 (partially)

@kuzjka
Adds support for OIDC 'prompt=none' parameter value
ddef09d 
This change provides limited support for OIDC 'prompt' parameter for authorization code requests.
If the request contains 'prompt' parameter and it's value is 'none', authorization server does not redirect user to login/consent page. Instead, OAuth2 error is returned in redirect to client app.

Fixes spring-projectsgh-501 (partially)
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Sep 3, 2023
@kuzjka kuzjka mentioned this pull request Sep 3, 2023
Closed
@kuzjka
Copy link
Author

kuzjka commented Sep 3, 2023
edited
Loading

Possible improvements to be done:

  • support also login and consent values for prompt. As I understand, they act like flags, while none means all flags are not set
  • validate parameter value. Only four possible values are defined by the spec1. none cannot be used with other values

This is my first commit to the project, so I would appreciate for your help with some questions on implementation:

  1. Am I right with the target branch selection? 1.1.x or main?
  2. Since prompt parameter name is not added yet to org.springframework.security.oauth2.core.oidc.endpoint.OidcParameterNames, I have added OIDC-related constants to OAuth2AuthorizationEndpointFilter. We might want to keep OAuth2 components to be not aware of OIDC extensions. Probably this OIDC logic is better to be placed in a separate class.
  3. I have checked redirect URL and its parameters using UriComponentsBuilder in tests, to avoid dependence on the order of parameters in URL. Can we rely on the order here and check the whole URL string? Or is it better to mock authenticationFailureHandler and check the exception coming to it?
  4. Do I need to add any notes to the documentation in scope of this change? In particular to How-to: Authenticate using a Single Page Application with PKCE.

Thank you for your time.

Footnotes

  1. https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest

@jgrandja
Copy link
Collaborator

@kuzjka Thanks for the PR. However, I'm not sure if you noticed but gh-501 is currently "on-hold" as indicated in the labels.

It's always best to reach out first before submitting a feature PR to see if the feature is planned for a release. At the moment, we have other priority tasks that we're working on and this feature is not yet planned for a release.

Furthermore, when this feature is planned for a release, we would likely require none, login, and consent to be implemented in the PR.

I'm going to close this PR but you can track our project planning board to see when this feature is prioritized for an upcoming release and please reach out then.

@jgrandja jgrandja closed this Sep 15, 2023
@jgrandja jgrandja self-assigned this Sep 15, 2023
@jgrandja jgrandja added status: declined A suggestion or change that we don't feel we should currently apply and removed status: waiting-for-triage An issue we've not yet triaged labels Sep 15, 2023
@kuzjka
Copy link
Author

kuzjka commented Sep 17, 2023

Thank you for the feedback, Joe.
Looking forward to new releases :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@jgrandja jgrandja

Labels
status: declined A suggestion or change that we don't feel we should currently apply
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@kuzjka @jgrandja @spring-projects-issues