feat: Add support to SOCIAL_AUTH_OIDC_PROMPT and others (#1127)

* Add support to SOCIAL_AUTH_OIDC_PROMPT

Related to #1124

* Add support to more paramenters of OpenID Connect

* Add exceptions AuthInvalidParameter and AuthNotImplementedParameter

* [pre-commit.ci] auto fixes from pre-commit.com hooks

for more information, see https://pre-commit.ci

* Update social_core/exceptions.py

* Apply suggestions from code review

* Apply suggestions from code review

---------

Co-authored-by: Michal Čihař <michal@weblate.org>
Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
Co-authored-by: Michal Čihař <michal@cihar.com>

Author: 3 people

social_core/backends/open_id_connect.py

@@ -16,7 +16,12 @@
 from jwt.utils import base64url_decode
 
 from social_core.backends.oauth import BaseOAuth2
-from social_core.exceptions import AuthMissingParameter, AuthTokenError
+from social_core.exceptions import (
+    AuthInvalidParameter,
+    AuthMissingParameter,
+    AuthNotImplementedParameter,
+    AuthTokenError,
+)
 from social_core.utils import cache
 
 
@@ -64,6 +69,14 @@ class OpenIdConnectAuth(BaseOAuth2):
     USERINFO_URL = ""
     JWKS_URI = ""
     TOKEN_ENDPOINT_AUTH_METHOD = ""
+    # Optional parameters for Authentication Request
+    DISPLAY = None
+    PROMPT = None
+    MAX_AGE = None
+    UI_LOCALES = None
+    ID_TOKEN_HINT = None
+    LOGIN_HINT = None
+    ACR_VALUES = None
 
     def __init__(self, *args, **kwargs):
         self.id_token = None
@@ -136,10 +149,59 @@ def get_remote_jwks_keys(self):
         response = self.request(self.jwks_uri())
         return json.loads(response.text)["keys"]
 
-    def auth_params(self, state=None):
+    def auth_params(self, state=None):  # noqa: C901
         """Return extra arguments needed on auth process."""
         params = super().auth_params(state)
         params["nonce"] = self.get_and_store_nonce(self.authorization_url(), state)
+
+        display = self.setting("DISPLAY", default=self.DISPLAY)
+        if display is not None:
+            if not display:
+                raise AuthMissingParameter(
+                    self, "OpenID Connect display value cannot be empty string."
+                )
+
+            if display not in ("page", "popup", "touch", "wap"):
+                raise AuthMissingParameter(
+                    self, f"Invalid OpenID Connect display value: {display}"
+                )
+
+            params["display"] = display
+
+        prompt = self.setting("PROMPT", default=self.PROMPT)
+        if prompt is not None:
+            if not prompt:
+                raise AuthInvalidParameter(self, "prompt")
+
+            for prompt_token in prompt.split():
+                if prompt_token not in ("none", "login", "consent", "select_account"):
+                    raise AuthInvalidParameter(self, "prompt")
+
+            params["prompt"] = prompt
+
+        max_age = self.setting("MAX_AGE", default=self.MAX_AGE)
+        if max_age is not None:
+            if max_age < 0:
+                raise AuthInvalidParameter(self, "max_age")
+
+            params["max_age"] = max_age
+
+        ui_locales = self.setting("UI_LOCALES", default=self.UI_LOCALES)
+        if ui_locales is not None:
+            raise AuthNotImplementedParameter(self, "ui_locales")
+
+        id_token_hint = self.setting("ID_TOKEN_HINT", default=self.ID_TOKEN_HINT)
+        if id_token_hint is not None:
+            raise AuthNotImplementedParameter(self, "id_token_hint")
+
+        login_hint = self.setting("LOGIN_HINT", default=self.LOGIN_HINT)
+        if login_hint is not None:
+            raise AuthNotImplementedParameter(self, "login_hint")
+
+        acr_values = self.setting("ACR_VALUES", default=self.ACR_VALUES)
+        if acr_values is not None:
+            raise AuthNotImplementedParameter(self, "acr_values")
+
         return params
 
     def get_and_store_nonce(self, url, state):

social_core/exceptions.py

@@ -89,6 +89,20 @@ def __str__(self):
         return f"Missing needed parameter {self.parameter}"
 
 
+class AuthInvalidParameter(AuthMissingParameter):
+    """Invalid value for parameter to start or complete the process."""
+
+    def __str__(self):
+        return f"Invalid value for parameter {self.parameter}"
+
+
+class AuthNotImplementedParameter(AuthMissingParameter):
+    """Optional parameter not implemented to start or complete the process."""
+
+    def __str__(self):
+        return f"Not implemented parameter {self.parameter}"
+
+
 class AuthStateMissing(AuthException):
     """State parameter is incorrect."""