FEATURE: Allow parameters to be passed from /auth/oidc to the IDP

The most common use case is when you want the IDP to start with a specific screen (e.g. signup, rather than sign in). This change has no effect by default, you must add the parameter names to the openid_connect_authorize_parameters site setting.

Author: davidtaylorhq

config/locales/server.en.yml

@@ -8,4 +8,5 @@ en:
  openid_connect_token_scope: "The scopes sent when requesting the token endpoint. The official specification does not require this."
  openid_connect_error_redirects: "If the callback error_reason contains the first parameter, the user will be redirected to the URL in the second parameter"
  openid_connect_allow_association_change: "Allow users to disconnect and reconnect their Discourse accounts from the OpenID Connect provider"
- openid_connect_verbose_logging: "Log detailed openid-connect authentication information to `/logs`. Keep this disabled during normal use."
+ openid_connect_verbose_logging: "Log detailed openid-connect authentication information to `/logs`. Keep this disabled during normal use."
+ openid_connect_authorize_parameters: "URL parameters which will be included in the redirect from /auth/oidc to the IDP's authorize endpoint"

config/settings.yml

@@ -19,3 +19,7 @@ plugins:
  default: ''
  type: list
  list_type: secret
+ openid_connect_authorize_parameters:
+ default: ''
+ type: list
+ list_type: compact

lib/openid_connect_authenticator.rb

@@ -50,7 +50,8 @@ def register_middleware(omniauth)
  scope: SiteSetting.openid_connect_authorize_scope,
  token_params: {
  scope: SiteSetting.openid_connect_token_scope,
- }
+ },
+ passthrough_authorize_options: SiteSetting.openid_connect_authorize_parameters.split("|")
  )
  }
  end