diff --git a/README.md b/README.md index 068352618..973eac361 100644 --- a/README.md +++ b/README.md @@ -265,7 +265,7 @@ An example [oauth2_proxy.cfg](contrib/oauth2_proxy.cfg.example) config file is i ``` Usage of oauth2_proxy: - -approval-prompt string: OAuth approval_prompt (default "force") + -approval-prompt string: OAuth approval_prompt (see also: prompt) (default "force") -authenticated-emails-file string: authenticate against emails via file (one per line) -azure-tenant string: go to a tenant-specific or common (tenant-independent) endpoint. (default "common") -banner string: custom sign-in banner text/html. Use "-" to disable default banner. @@ -303,6 +303,7 @@ Usage of oauth2_proxy: -pass-host-header: pass the request Host Header to upstream (default true) -pass-user-headers: pass X-Forwarded-User and X-Forwarded-Email information to upstream (default true) -profile-url string: Profile access endpoint + -prompt string: OIDC prompt (overrides approval-prompt) -provider string: OAuth provider (default "google") -proxy-prefix string: the url root path that this proxy should be nested under (e.g. //sign_in) (default "/oauth2") -proxy-websockets: enables WebSocket proxying (default true) diff --git a/main.go b/main.go index 38623bfe9..cc9de6f36 100644 --- a/main.go +++ b/main.go @@ -85,7 +85,8 @@ func mainFlagSet() *flag.FlagSet { flagSet.String("resource", "", "The resource that is protected (Azure AD only)") flagSet.String("validate-url", "", "Access token validation endpoint") flagSet.String("scope", "", "OAuth scope specification") - flagSet.String("approval-prompt", "force", "OAuth approval_prompt") + flagSet.String("prompt", "", "OIDC prompt (overrides approval-prompt)") + flagSet.String("approval-prompt", "force", "OAuth approval_prompt (see also: prompt)") flagSet.String("signature-key", "", "GAP-Signature request signature key (algorithm:secretkey)") diff --git a/options.go b/options.go index 4d1e5b094..310bab654 100644 --- a/options.go +++ b/options.go @@ -80,7 +80,8 @@ type Options struct { ProtectedResource string `flag:"resource" cfg:"resource"` ValidateURL string `flag:"validate-url" cfg:"validate_url"` Scope string `flag:"scope" cfg:"scope"` - ApprovalPrompt string `flag:"approval-prompt" cfg:"approval_prompt"` + Prompt string `flag:"prompt" cfg:"prompt"` + ApprovalPrompt string `flag:"approval-prompt" cfg:"approval_prompt"` // Deprecated by OIDC 1.0 XHeaders bool `flag:"xheaders" cfg:"xheaders"` RequestLogging bool `flag:"request-logging" cfg:"request_logging"` @@ -119,6 +120,7 @@ func NewOptions() *Options { PassUserHeaders: true, PassAccessToken: false, PassHostHeader: true, + Prompt: "", // Change to "login" when ApprovalPrompt deprecated/removed ApprovalPrompt: "force", XHeaders: true, RequestLogging: true, @@ -235,6 +237,7 @@ func parseProviderInfo(o *Options, msgs []string) []string { Scope: o.Scope, ClientID: o.ClientID, ClientSecret: o.ClientSecret, + Prompt: o.Prompt, ApprovalPrompt: o.ApprovalPrompt, } p.LoginURL, msgs = parseURL(o.LoginURL, "login", msgs) diff --git a/providers/provider_data.go b/providers/provider_data.go index 92e27dd7a..0f7a51b88 100644 --- a/providers/provider_data.go +++ b/providers/provider_data.go @@ -14,6 +14,7 @@ type ProviderData struct { ProtectedResource *url.URL ValidateURL *url.URL Scope string + Prompt string ApprovalPrompt string } diff --git a/providers/provider_default.go b/providers/provider_default.go index 769925c59..2e104d1e7 100644 --- a/providers/provider_default.go +++ b/providers/provider_default.go @@ -83,7 +83,11 @@ func (p *ProviderData) GetLoginURL(redirectURI, state string) string { a = *p.LoginURL params, _ := url.ParseQuery(a.RawQuery) params.Set("redirect_uri", redirectURI) - params.Set("approval_prompt", p.ApprovalPrompt) + if p.Prompt != "" { + params.Set("prompt", p.Prompt) + } else { // Legacy variant of the prompt param: + params.Set("approval_prompt", p.ApprovalPrompt) + } params.Add("scope", p.Scope) params.Set("client_id", p.ClientID) params.Set("response_type", "code")