Support prompt=create

Allows RPs to ask for account creation See https://openid.net/specs/openid-connect-prompt-create-1_0.html
2025-07-29 22:01:14 +03:00 · 2022-03-14 16:33:24 +01:00
parent 794a1b8651
commit 8e9bda654f
4 changed files with 27 additions and 3 deletions
--- a/crates/handlers/src/oauth2/authorization.rs
+++ b/crates/handlers/src/oauth2/authorization.rs
@ -73,7 +73,7 @@ use warp::{
    Filter, Rejection, Reply,
 };

-use crate::views::{LoginRequest, PostAuthAction, ReauthRequest};
+use crate::views::{LoginRequest, PostAuthAction, ReauthRequest, RegisterRequest};

 #[derive(Deserialize)]
 struct PartialParams {
@ -310,6 +310,7 @@ async fn actually_reply(
        .wrap_error()
 }

+#[allow(clippy::too_many_lines)]
 async fn get(
    params: Params,
    maybe_session: Option<BrowserSession<PostgresqlBackend>>,
@ -427,6 +428,16 @@ async fn get(
            // Other cases where we already have a session
            step(next, user_session, txn).await
        }
+        (None, Some(Prompt::Create)) => {
+            // Client asked for a registration, show the registration prompt
+            txn.commit().await.wrap_error()?;
+
+            let next: PostAuthAction = next.into();
+            let next: RegisterRequest = next.into();
+            let next = next.build_uri().wrap_error()?;
+
+            Ok(ReplyOrBackToClient::Reply(Box::new(see_other(next))))
+        }
        (None, _) => {
            // Other cases where we don't have a session, ask for a login
            txn.commit().await.wrap_error()?;
--- a/crates/handlers/src/oauth2/discovery.rs
+++ b/crates/handlers/src/oauth2/discovery.rs
@ -26,7 +26,7 @@ use mas_jose::SigningKeystore;
 use mas_warp_utils::filters::{self, url_builder::UrlBuilder};
 use oauth2_types::{
    oidc::{ClaimType, Metadata, SubjectType},
-    requests::{Display, GrantType, ResponseMode},
+    requests::{Display, GrantType, Prompt, ResponseMode},
    scope,
 };
 use warp::{filters::BoxedFilter, Filter, Reply};
@ -158,6 +158,14 @@ pub(super) fn filter(
    let request_parameter_supported = Some(false);
    let request_uri_parameter_supported = Some(false);

+    let prompt_values_supported = Some({
+        let mut s = HashSet::new();
+        s.insert(Prompt::None);
+        s.insert(Prompt::Login);
+        s.insert(Prompt::Create);
+        s
+    });
+
    let metadata = Metadata {
        issuer,
        authorization_endpoint,
@ -182,6 +190,7 @@ pub(super) fn filter(
        claims_parameter_supported,
        request_parameter_supported,
        request_uri_parameter_supported,
+        prompt_values_supported,
        ..Metadata::default()
    };

--- a/crates/oauth2-types/src/oidc.rs
+++ b/crates/oauth2-types/src/oidc.rs
@ -25,7 +25,7 @@ use serde::Serialize;
 use serde_with::skip_serializing_none;
 use url::Url;

-use crate::requests::{Display, GrantType, ResponseMode};
+use crate::requests::{Display, GrantType, Prompt, ResponseMode};

 #[derive(Serialize, Clone, Copy, PartialEq, Eq, Hash, Debug)]
 #[serde(rename_all = "lowercase")]
@ -234,4 +234,7 @@ pub struct Metadata {
    /// Indicates whether the authorization server accepts authorization
    /// requests only via PAR.
    pub require_pushed_authorization_requests: Option<bool>,
+
+    /// Array containing the list of prompt values that this OP supports.
+    pub prompt_values_supported: Option<HashSet<Prompt>>,
 }
--- a/crates/oauth2-types/src/requests.rs
+++ b/crates/oauth2-types/src/requests.rs
@ -95,6 +95,7 @@ pub enum Prompt {
    Login,
    Consent,
    SelectAccount,
+    Create,
 }

 #[serde_as]