feat: Hint, use old_domain, then OIDC, then nothing

Crash-- · Crash-- · commit aeffe22d24c8 · 2026-01-16T14:08:19.000+01:00
diff --git a/web/oidc/oidc.go b/web/oidc/oidc.go
@@ -51,7 +51,7 @@ func Start(c echo.Context) error {
 		inst.Logger().WithNamespace("oidc").Infof("Start error: %s", err)
 		return renderError(c, nil, http.StatusNotFound, "Sorry, the context was not found.")
 	}
-	u, err := makeStartURL(inst.Domain, c.QueryParam("redirect"), c.QueryParam("confirm_state"), "", conf)
+	u, err := makeStartURL(inst, inst.Domain, c.QueryParam("redirect"), c.QueryParam("confirm_state"), "", conf)
 	if err != nil {
 		return renderError(c, nil, http.StatusNotFound, "Sorry, the server is not configured for OpenID Connect.")
 	}
@@ -66,7 +66,7 @@ func StartFranceConnect(c echo.Context) error {
 		inst.Logger().WithNamespace("oidc").Infof("StartFranceConnect error: %s", err)
 		return renderError(c, nil, http.StatusNotFound, "Sorry, the context was not found.")
 	}
-	u, err := makeStartURL(inst.Domain, c.QueryParam("redirect"), c.QueryParam("confirm_state"), "", conf)
+	u, err := makeStartURL(inst, inst.Domain, c.QueryParam("redirect"), c.QueryParam("confirm_state"), "", conf)
 	if err != nil {
 		return renderError(c, nil, http.StatusNotFound, "Sorry, the server is not configured for OpenID Connect.")
 	}
@@ -81,7 +81,7 @@ func Sharing(c echo.Context) error {
 		inst.Logger().WithNamespace("oidc").Infof("Start error: %s", err)
 		return renderError(c, nil, http.StatusNotFound, "Sorry, the context was not found.")
 	}
-	u, err := makeSharingStartURL(inst.Domain, c.QueryParam("sharingID"), c.QueryParam("state"), conf, inst.ContextName)
+	u, err := makeSharingStartURL(inst, c.QueryParam("sharingID"), c.QueryParam("state"), conf, inst.ContextName)
 	if err != nil {
 		return renderError(c, nil, http.StatusNotFound, "Sorry, the server is not configured for OpenID Connect.")
 	}
@@ -96,7 +96,7 @@ func SharingPublic(c echo.Context) error {
 		inst.Logger().WithNamespace("oidc").Infof("Start error: %s", err)
 		return renderError(c, nil, http.StatusNotFound, "Sorry, the server is not configured for OpenID Connect.")
 	}
-	u, err := makeSharingStartURL(inst.Domain, c.QueryParam("sharingID"), c.QueryParam("state"), conf, contextName)
+	u, err := makeSharingStartURL(inst, c.QueryParam("sharingID"), c.QueryParam("state"), conf, contextName)
 	if err != nil {
 		return renderError(c, nil, http.StatusNotFound, "Sorry, the server is not configured for OpenID Connect.")
 	}
@@ -133,7 +133,7 @@ func BitwardenStart(c echo.Context) error {
 	if err != nil {
 		return renderError(c, nil, http.StatusNotFound, "Sorry, the context was not found.")
 	}
-	u, err := makeStartURL("", redirectURI, "", contextName, conf)
+	u, err := makeStartURL(nil, "", redirectURI, "", contextName, conf)
 	if err != nil {
 		return renderError(c, nil, http.StatusNotFound, "Sorry, the server is not configured for OpenID Connect.")
 	}
@@ -852,7 +852,20 @@ func getFranceConnectConfig(context string) (*Config, error) {
 	return config, nil
 }
 
-func makeStartURL(domain, redirect, confirm, oidcContext string, conf *Config) (string, error) {
+func getLoginHint(inst *instance.Instance) string {
+	if inst == nil {
+		return ""
+	}
+	if inst.OldDomain != "" {
+		return inst.OldDomain
+	}
+	if inst.OIDCID != "" {
+		return inst.OIDCID
+	}
+	return ""
+}
+
+func makeStartURL(inst *instance.Instance, domain, redirect, confirm, oidcContext string, conf *Config) (string, error) {
 	u, err := url.Parse(conf.AuthorizeURL)
 	if err != nil {
 		return "", err
@@ -868,8 +881,9 @@ func makeStartURL(domain, redirect, confirm, oidcContext string, conf *Config) (
 	vv.Add("redirect_uri", conf.RedirectURI)
 	vv.Add("state", state.id)
 	vv.Add("nonce", state.Nonce)
-	if domain != "" {
-		vv.Add("login_hint", domain)
+	loginHint := getLoginHint(inst)
+	if loginHint != "" {
+		vv.Add("login_hint", loginHint)
 	}
 	if conf.Provider == FranceConnectProvider {
 		vv.Add("acr_values", "eidas1")
@@ -878,12 +892,12 @@ func makeStartURL(domain, redirect, confirm, oidcContext string, conf *Config) (
 	return u.String(), nil
 }
 
-func makeSharingStartURL(domain, sharingID, sharingState string, conf *Config, contextName string) (string, error) {
+func makeSharingStartURL(inst *instance.Instance, sharingID, sharingState string, conf *Config, contextName string) (string, error) {
 	u, err := url.Parse(conf.AuthorizeURL)
 	if err != nil {
 		return "", err
 	}
-	state := newSharingStateHolder(domain, sharingID, sharingState, conf.Provider, contextName)
+	state := newSharingStateHolder(inst.Domain, sharingID, sharingState, conf.Provider, contextName)
 	if err = getStorage().Add(state); err != nil {
 		return "", err
 	}
@@ -894,8 +908,9 @@ func makeSharingStartURL(domain, sharingID, sharingState string, conf *Config, c
 	vv.Add("redirect_uri", conf.RedirectURI)
 	vv.Add("state", state.id)
 	vv.Add("nonce", state.Nonce)
-	if domain != "" {
-		vv.Add("login_hint", domain)
+	loginHint := getLoginHint(inst)
+	if loginHint != "" {
+		vv.Add("login_hint", loginHint)
 	}
 	if conf.Provider == FranceConnectProvider {
 		vv.Add("acr_values", "eidas1")
@@ -1343,7 +1358,7 @@ func LoginDomainHandler(c echo.Context, contextName string) error {
 	if err != nil {
 		return renderError(c, nil, http.StatusNotFound, "Sorry, the context was not found.")
 	}
-	u, err := makeStartURL(r.Host, "", "", "", conf)
+	u, err := makeStartURL(nil, r.Host, "", "", "", conf)
 	if err != nil {
 		return renderError(c, nil, http.StatusNotFound, "Sorry, the server is not configured for OpenID Connect.")
 	}
diff --git a/web/oidc/oidc_test.go b/web/oidc/oidc_test.go
@@ -153,10 +153,20 @@ func TestOidc(t *testing.T) {
 		assert.NotNil(t, redirectURL.Query().Get("response_type"))
 		assert.NotNil(t, redirectURL.Query().Get("state"))
 		assert.NotNil(t, redirectURL.Query().Get("scope"))
-		// Verify login_hint is present with the instance domain
+		// Verify login_hint logic: old_domain > OIDCID > nothing
 		loginHint := redirectURL.Query().Get("login_hint")
-		assert.NotEmpty(t, loginHint, "login_hint should be present in redirect URL")
-		assert.Equal(t, testInstance.Domain, loginHint, "login_hint should contain the instance domain")
+		expectedLoginHint := ""
+		if testInstance.OldDomain != "" {
+			expectedLoginHint = testInstance.OldDomain
+		} else if testInstance.OIDCID != "" {
+			expectedLoginHint = testInstance.OIDCID
+		}
+		if expectedLoginHint != "" {
+			assert.NotEmpty(t, loginHint, "login_hint should be present in redirect URL")
+			assert.Equal(t, expectedLoginHint, loginHint, "login_hint should match old_domain or OIDCID")
+		} else {
+			assert.Empty(t, loginHint, "login_hint should not be present when neither old_domain nor OIDCID is set")
+		}
 	})
 
 	// Get the login page, assert we have an error if state is missing
@@ -298,13 +308,49 @@ func TestOidc(t *testing.T) {
 		require.Equal(t, "delegated-session-123", storedClient.OIDCSessionID)
 	})
 
-	t.Run("LoginHintWithDomain", func(t *testing.T) {
+	t.Run("LoginHintWithOIDCID", func(t *testing.T) {
 		e := testutils.CreateTestClient(t, ts.URL)
 
 		onboardingFinished := true
-		_ = lifecycle.Patch(testInstance, &lifecycle.Options{OnboardingFinished: &onboardingFinished})
+		oidcID := "user-oidc-sub-123"
+		// Set OIDCID without old_domain to test OIDCID priority
+		_ = lifecycle.Patch(testInstance, &lifecycle.Options{
+			OnboardingFinished: &onboardingFinished,
+			OIDCID:             oidcID,
+		})
+
+		// Test that login_hint uses OIDCID when old_domain is not present
+		u := e.GET("/oidc/start").
+			WithHost(testInstance.Domain).
+			WithRedirectPolicy(httpexpect.DontFollowRedirects).
+			Expect().Status(303).
+			Header("Location").Raw()
+
+		redirectURL, err := url.Parse(u)
+		require.NoError(t, err)
+
+		loginHint := redirectURL.Query().Get("login_hint")
+		// If old_domain exists from previous test, it should take priority
+		// Otherwise, OIDCID should be used
+		if testInstance.OldDomain != "" {
+			assert.Equal(t, testInstance.OldDomain, loginHint, "login_hint should use old_domain when present (priority)")
+		} else {
+			assert.NotEmpty(t, loginHint, "login_hint should be present when OIDCID is set")
+			assert.Equal(t, oidcID, loginHint, "login_hint should use OIDCID when old_domain is not present")
+		}
+	})
+
+	t.Run("LoginHintWithOldDomain", func(t *testing.T) {
+		e := testutils.CreateTestClient(t, ts.URL)
+
+		onboardingFinished := true
+		oldDomain := "old.example.com"
+		_ = lifecycle.Patch(testInstance, &lifecycle.Options{
+			OnboardingFinished: &onboardingFinished,
+			OldDomain:          oldDomain,
+		})
 
-		// Test that login_hint is present when domain is provided
+		// Test that login_hint uses old_domain when present (highest priority)
 		u := e.GET("/oidc/start").
 			WithHost(testInstance.Domain).
 			WithRedirectPolicy(httpexpect.DontFollowRedirects).
@@ -315,15 +361,19 @@ func TestOidc(t *testing.T) {
 		require.NoError(t, err)
 
 		loginHint := redirectURL.Query().Get("login_hint")
-		assert.NotEmpty(t, loginHint, "login_hint should be present when domain is provided")
-		assert.Equal(t, testInstance.Domain, loginHint, "login_hint should match the instance domain")
+		assert.NotEmpty(t, loginHint, "login_hint should be present when old_domain is set")
+		assert.Equal(t, oldDomain, loginHint, "login_hint should use old_domain when present (highest priority)")
 	})
 
 	t.Run("LoginHintWithFranceConnect", func(t *testing.T) {
 		e := testutils.CreateTestClient(t, ts.URL)
 
 		onboardingFinished := true
-		_ = lifecycle.Patch(testInstance, &lifecycle.Options{OnboardingFinished: &onboardingFinished})
+		oldDomain := "old.franceconnect.example.com"
+		_ = lifecycle.Patch(testInstance, &lifecycle.Options{
+			OnboardingFinished: &onboardingFinished,
+			OldDomain:          oldDomain,
+		})
 
 		// Test that login_hint is present for FranceConnect flow
 		u := e.GET("/oidc/franceconnect").
@@ -337,7 +387,37 @@ func TestOidc(t *testing.T) {
 
 		loginHint := redirectURL.Query().Get("login_hint")
 		assert.NotEmpty(t, loginHint, "login_hint should be present for FranceConnect flow")
-		assert.Equal(t, testInstance.Domain, loginHint, "login_hint should match the instance domain")
+		assert.Equal(t, oldDomain, loginHint, "login_hint should use old_domain for FranceConnect")
+	})
+
+	t.Run("LoginHintWithoutOldDomainOrOIDCID", func(t *testing.T) {
+		e := testutils.CreateTestClient(t, ts.URL)
+
+		onboardingFinished := true
+		_ = lifecycle.Patch(testInstance, &lifecycle.Options{
+			OnboardingFinished: &onboardingFinished,
+		})
+
+		// Test that login_hint behavior depends on current instance state
+		// If old_domain or OIDCID exist from previous tests, they will be used
+		// Otherwise, no login_hint should be present
+		u := e.GET("/oidc/start").
+			WithHost(testInstance.Domain).
+			WithRedirectPolicy(httpexpect.DontFollowRedirects).
+			Expect().Status(303).
+			Header("Location").Raw()
+
+		redirectURL, err := url.Parse(u)
+		require.NoError(t, err)
+
+		loginHint := redirectURL.Query().Get("login_hint")
+		// Check current state - if neither old_domain nor OIDCID is set, login_hint should be empty
+		if testInstance.OldDomain == "" && testInstance.OIDCID == "" {
+			assert.Empty(t, loginHint, "login_hint should not be present when neither old_domain nor OIDCID is set")
+		} else {
+			// If one of them exists, it should be used (this tests the priority logic)
+			assert.NotEmpty(t, loginHint, "login_hint should be present if old_domain or OIDCID is set")
+		}
 	})
 
 	t.Run("LoginHintWithoutDomain", func(t *testing.T) {
