Open btmccollum opened 1 year ago
seanarnold
commented
1 year ago If I understand you correctly @btmccollum this would be useful for step up authentication.
i.e when a user already has access but they wish to access a high privilege page, you could re-auth with the acr_values set. Is that what you were thinking?
davidwessman
commented
1 year ago I would really need this for the prompt option too.
Not sure about the format for that, should we just be able to pass it as parameters to the URL?
Did you think of anyway to work around this @seanarnold @btmccollum ?
davidwessman
commented
1 year ago When looking through the authorized_uri-method I noticed the option allow_authorize_params and when I set it like:
config.omniauth(
:openid_connect,
{
name: :provider,
scope: %i[openid],
discovery: true,
pkce: true,
response_type: :code,
issuer: provider_url,
allow_authorize_params: %w[prompt],
client_options: {...}
}
)then I can pass prompt=login as a parameter to the authorize endpoint 🙂
Maybe that can work for acr_values too?
For the purposes of login/auth, I'm curious about the ability to pass a user's name when applicable to prefill a login form along with the login hint email, but it seems that in #authorize_uri that acr values can only be hardcoded from the devise initializer file, where as login hint and others are taken from params. I am not too well versed in the OpenID spec but from what I understand it seems like this shouldn't be an issue unless it implemented in this manner for potential security concerns? Is this something that would possibly be entertained as a PR or is there something I'm overlooking here?