From c897bc83875394a236938ace0e8cbe49963c9995 Mon Sep 17 00:00:00 2001
From: Thomas Vaillant <thomas.vaillant@formetris.com>
Date: Mon, 5 Nov 2018 16:43:30 +0100
Subject: [PATCH] Add -prompt flag

Space separated list of OpenID prompt options (https://developers.google.com/identity/protocols/OpenIDConnect#prompt)
---
 README.md           | 1 +
 forwardauth.go      | 6 +++++-
 forwardauth_test.go | 2 ++
 main.go             | 3 +++
 4 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 8626c53..c0ef51b 100644
--- a/README.md
+++ b/README.md
@@ -35,6 +35,7 @@ The following configuration is supported:
 |-domain|string|Comma separated list of email domains to allow|
 |-lifetime|int|Session length in seconds (default 43200)|
 |-url-path|string|Callback URL (default "_oauth")|
+|-prompt|string|Space separated list of [OpenID prompt options](https://developers.google.com/identity/protocols/OpenIDConnect#prompt)|
 
 Configuration can also be supplied as environment variables (use upper case and swap `-`'s for `_`'s e.g. `-client-id` becomes `CLIENT_ID`)
 
diff --git a/forwardauth.go b/forwardauth.go
index 043882d..3bc90c7 100644
--- a/forwardauth.go
+++ b/forwardauth.go
@@ -40,6 +40,8 @@ type ForwardAuth struct {
   Domain []string
 
   Direct bool
+
+  Prompt string
 }
 
 // Request Validation
@@ -114,7 +116,9 @@ func (f *ForwardAuth) GetLoginURL(r *http.Request, nonce string) string {
   q.Set("client_id", fw.ClientId)
   q.Set("response_type", "code")
   q.Set("scope", fw.Scope)
-  // q.Set("approval_prompt", fw.ClientId)
+  if fw.Prompt != "" {
+    q.Set("prompt", fw.Prompt)
+  }
   q.Set("redirect_uri", f.redirectUri(r))
   q.Set("state", state)
 
diff --git a/forwardauth_test.go b/forwardauth_test.go
index 0268f92..a5fd09d 100644
--- a/forwardauth_test.go
+++ b/forwardauth_test.go
@@ -146,6 +146,7 @@ func TestGetLoginURL(t *testing.T) {
       Host: "test.com",
       Path: "/auth",
     },
+    Prompt: "consent select_account",
   }
 
   // Check url
@@ -170,6 +171,7 @@ func TestGetLoginURL(t *testing.T) {
     "redirect_uri": []string{"http://example.com/_oauth"},
     "response_type": []string{"code"},
     "scope": []string{"scopetest"},
+    "prompt": []string{"consent select_account"},
     "state": []string{"nonce:http://example.com/hello"},
   }
   if !reflect.DeepEqual(qs, expectedQs) {
diff --git a/main.go b/main.go
index 1f8f617..fd96f52 100644
--- a/main.go
+++ b/main.go
@@ -142,6 +142,7 @@ func main() {
   cookieSecure := flag.Bool("cookie-secure", true, "Use secure cookies")
   domainList := flag.String("domain", "", "Comma separated list of email domains to allow")
   direct := flag.Bool("direct", false, "Run in direct mode (use own hostname as oppose to X-Forwarded-Host, used for testing/development)")
+  prompt := flag.String("prompt", "", "Space separated list of OpenID prompt options")
 
   flag.Parse()
 
@@ -216,6 +217,8 @@ func main() {
     Domain: domain,
 
     Direct: *direct,
+
+    Prompt: *prompt,
   }
 
   // Attach handler