OIDC connector: Allow specifying empty prompt type (#3373)

Enhanced the OIDC connector to allow specifying an empty promptType parameter. Previously, the default behavior always appended 'consent' if promptType was not specified. This adjustment was necessary due to variations in default behaviors across certain Identity Providers (IDPs). Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com> Signed-off-by: Maksim Nabokikh <maksim.nabokikh@flant.com>
2 years ago · e5dce3d3b7
2 changed files with 40 additions and 4 deletions
--- a/connector/oidc/oidc.go
+++ b/connector/oidc/oidc.go
@ -76,7 +76,7 @@ type Config struct {
 	UserNameKey string `json:"userNameKey"`

 	// PromptType will be used fot the prompt parameter (when offline_access, by default prompt=consent)
-	PromptType string `json:"promptType"`
+	PromptType *string `json:"promptType"`

 	// OverrideClaimMapping will be used to override the options defined in claimMappings.
 	// i.e. if there are 'email' and `preferred_email` claims available, by default Dex will always use the `email` claim independent of the ClaimMapping.EmailKey.
@ -242,8 +242,9 @@ func (c *Config) Open(id string, logger log.Logger) (conn connector.Connector, e
 	}

 	// PromptType should be "consent" by default, if not set
-	if c.PromptType == "" {
-		c.PromptType = "consent"
+	promptType := "consent"
+	if c.PromptType != nil {
+		promptType = *c.PromptType
 	}

 	clientID := c.ClientID
@ -268,7 +269,7 @@ func (c *Config) Open(id string, logger log.Logger) (conn connector.Connector, e
 		allowedGroups:             c.AllowedGroups,
 		acrValues:                 c.AcrValues,
 		getUserInfo:               c.GetUserInfo,
-		promptType:                c.PromptType,
+		promptType:                promptType,
 		userIDKey:                 c.UserIDKey,
 		userNameKey:               c.UserNameKey,
 		overrideClaimMapping:      c.OverrideClaimMapping,
--- a/connector/oidc/oidc_test.go
+++ b/connector/oidc/oidc_test.go
@ -19,6 +19,7 @@ import (

 	"github.com/go-jose/go-jose/v4"
 	"github.com/sirupsen/logrus"
+	"github.com/stretchr/testify/require"

 	"github.com/dexidp/dex/connector"
 )
@ -584,6 +585,40 @@ func TestTokenIdentity(t *testing.T) {
 	}
 }

+func TestPromptType(t *testing.T) {
+	pointer := func(s string) *string {
+		return &s
+	}
+
+	tests := []struct {
+		name       string
+		promptType *string
+		res        string
+	}{
+		{name: "none", promptType: pointer("none"), res: "none"},
+		{name: "provided empty string", promptType: pointer(""), res: ""},
+		{name: "login", promptType: pointer("login"), res: "login"},
+		{name: "consent", promptType: pointer("consent"), res: "consent"},
+		{name: "default value", promptType: nil, res: "consent"},
+	}
+
+	testServer, err := setupServer(nil, true)
+	require.NoError(t, err)
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			conn, err := newConnector(Config{
+				Issuer:     testServer.URL,
+				Scopes:     []string{"openid", "groups"},
+				PromptType: tc.promptType,
+			})
+			require.NoError(t, err)
+
+			require.Equal(t, tc.res, conn.promptType)
+		})
+	}
+}
+
 func TestProviderOverride(t *testing.T) {
 	testServer, err := setupServer(map[string]any{
 		"sub":  "subvalue",