feat: add option to change or disable OIDC login prompt parameter (#2037)

.env.example

@@ -23,6 +23,10 @@ NEXT_PRIVATE_OIDC_CLIENT_ID=""
 NEXT_PRIVATE_OIDC_CLIENT_SECRET=""
 NEXT_PRIVATE_OIDC_PROVIDER_LABEL="OIDC"
 NEXT_PRIVATE_OIDC_SKIP_VERIFY=""
+# Specifies the prompt to use for OIDC signin, explicitly setting
+# an empty string will omit the prompt parameter.
+# See: https://www.cerberauth.com/blog/openid-connect-oauth2-prompts/
+NEXT_PRIVATE_OIDC_PROMPT="login"
 
 # [[URLS]]
 NEXT_PUBLIC_WEBAPP_URL="http://localhost:3000"

packages/auth/server/lib/utils/handle-oauth-authorize-url.ts

@@ -27,13 +27,13 @@ type HandleOAuthAuthorizeUrlOptions = {
   /**
    * Optional prompt to pass to the authorization endpoint.
    */
-  prompt?: 'login' | 'consent' | 'select_account';
+  prompt?: 'none' | 'login' | 'consent' | 'select_account';
 };
 
 const oauthCookieMaxAge = 60 * 10; // 10 minutes.
 
 export const handleOAuthAuthorizeUrl = async (options: HandleOAuthAuthorizeUrlOptions) => {
-  const { c, clientOptions, redirectPath, prompt = 'login' } = options;
+  const { c, clientOptions, redirectPath } = options;
 
   if (!clientOptions.clientId || !clientOptions.clientSecret) {
     throw new AppError(AppErrorCode.NOT_SETUP);
@@ -63,7 +63,11 @@ export const handleOAuthAuthorizeUrl = async (options: HandleOAuthAuthorizeUrlOp
   );
 
   // Pass the prompt to the authorization endpoint.
-  url.searchParams.append('prompt', prompt);
+  if (process.env.NEXT_PRIVATE_OIDC_PROMPT !== '') {
+    const prompt = process.env.NEXT_PRIVATE_OIDC_PROMPT ?? 'login';
+
+    url.searchParams.append('prompt', prompt);
+  }
 
   setCookie(c, `${clientOptions.id}_oauth_state`, state, {
     ...sessionCookieOptions,

turbo.json

@@ -119,6 +119,7 @@
     "GOOGLE_APPLICATION_CREDENTIALS",
     "E2E_TEST_AUTHENTICATE_USERNAME",
     "E2E_TEST_AUTHENTICATE_USER_EMAIL",
-    "E2E_TEST_AUTHENTICATE_USER_PASSWORD"
+    "E2E_TEST_AUTHENTICATE_USER_PASSWORD",
+    "NEXT_PRIVATE_OIDC_PROMPT"
   ]
 }