support prompt in addition to approval-prompt

README.md

@@ -265,7 +265,7 @@ An example [oauth2_proxy.cfg](contrib/oauth2_proxy.cfg.example) config file is i
 
 ```
 Usage of oauth2_proxy:
-  -approval-prompt string: OAuth approval_prompt (default "force")
+  -approval-prompt string: OAuth approval_prompt (see also: prompt) (default "force")
   -authenticated-emails-file string: authenticate against emails via file (one per line)
   -azure-tenant string: go to a tenant-specific or common (tenant-independent) endpoint. (default "common")
   -banner string: custom sign-in banner text/html. Use "-" to disable default banner.
@@ -303,6 +303,7 @@ Usage of oauth2_proxy:
   -pass-host-header: pass the request Host Header to upstream (default true)
   -pass-user-headers: pass X-Forwarded-User and X-Forwarded-Email information to upstream (default true)
   -profile-url string: Profile access endpoint
+  -prompt string: OIDC prompt (overrides approval-prompt)
   -provider string: OAuth provider (default "google")
   -proxy-prefix string: the url root path that this proxy should be nested under (e.g. /<oauth2>/sign_in) (default "/oauth2")
   -proxy-websockets: enables WebSocket proxying (default true)

main.go

@@ -85,7 +85,8 @@ func mainFlagSet() *flag.FlagSet {
 	flagSet.String("resource", "", "The resource that is protected (Azure AD only)")
 	flagSet.String("validate-url", "", "Access token validation endpoint")
 	flagSet.String("scope", "", "OAuth scope specification")
-	flagSet.String("approval-prompt", "force", "OAuth approval_prompt")
+	flagSet.String("prompt", "", "OIDC prompt (overrides approval-prompt)")
+	flagSet.String("approval-prompt", "force", "OAuth approval_prompt (see also: prompt)")
 
 	flagSet.String("signature-key", "", "GAP-Signature request signature key (algorithm:secretkey)")
 

options.go

@@ -80,7 +80,8 @@ type Options struct {
 	ProtectedResource string `flag:"resource" cfg:"resource"`
 	ValidateURL       string `flag:"validate-url" cfg:"validate_url"`
 	Scope             string `flag:"scope" cfg:"scope"`
-	ApprovalPrompt    string `flag:"approval-prompt" cfg:"approval_prompt"`
+	Prompt            string `flag:"prompt" cfg:"prompt"`
+	ApprovalPrompt    string `flag:"approval-prompt" cfg:"approval_prompt"` // Deprecated by OIDC 1.0
 
 	XHeaders             bool   `flag:"xheaders" cfg:"xheaders"`
 	RequestLogging       bool   `flag:"request-logging" cfg:"request_logging"`
@@ -119,6 +120,7 @@ func NewOptions() *Options {
 		PassUserHeaders:      true,
 		PassAccessToken:      false,
 		PassHostHeader:       true,
+		Prompt:               "", // Change to "login" when ApprovalPrompt deprecated/removed
 		ApprovalPrompt:       "force",
 		XHeaders:             true,
 		RequestLogging:       true,
@@ -235,6 +237,7 @@ func parseProviderInfo(o *Options, msgs []string) []string {
 		Scope:          o.Scope,
 		ClientID:       o.ClientID,
 		ClientSecret:   o.ClientSecret,
+		Prompt:         o.Prompt,
 		ApprovalPrompt: o.ApprovalPrompt,
 	}
 	p.LoginURL, msgs = parseURL(o.LoginURL, "login", msgs)

providers/provider_data.go

@@ -14,6 +14,7 @@ type ProviderData struct {
 	ProtectedResource *url.URL
 	ValidateURL       *url.URL
 	Scope             string
+	Prompt            string
 	ApprovalPrompt    string
 }
 

providers/provider_default.go

@@ -83,7 +83,11 @@ func (p *ProviderData) GetLoginURL(redirectURI, state string) string {
 	a = *p.LoginURL
 	params, _ := url.ParseQuery(a.RawQuery)
 	params.Set("redirect_uri", redirectURI)
-	params.Set("approval_prompt", p.ApprovalPrompt)
+	if p.Prompt != "" {
+		params.Set("prompt", p.Prompt)
+	} else { // Legacy variant of the prompt param:
+		params.Set("approval_prompt", p.ApprovalPrompt)
+	}
 	params.Add("scope", p.Scope)
 	params.Set("client_id", p.ClientID)
 	params.Set("response_type", "code")