Add a configuration for forwarding the login hint to the upstream provider.

Author: pixlwave

crates/cli/src/sync.rs

@@ -304,6 +304,7 @@ pub async fn config_sync(
                             .additional_authorization_parameters
                             .into_iter()
                             .collect(),
+                        forward_login_hint: provider.forward_login_hint,
                         ui_order,
                     },
                 )

crates/config/src/sections/upstream_oauth2.rs

@@ -565,4 +565,11 @@ pub struct Provider {
     /// Orders of the keys are not preserved.
     #[serde(default, skip_serializing_if = "BTreeMap::is_empty")]
     pub additional_authorization_parameters: BTreeMap<String, String>,
+
+    /// Whether the login_hint should be forwarded to the provider in the
+    /// authorization request.
+    ///
+    /// Defaults to `false`.
+    #[serde(default)]
+    pub forward_login_hint: bool,
 }

crates/data-model/src/upstream_oauth2/provider.rs

@@ -241,6 +241,7 @@ pub struct UpstreamOAuthProvider {
     pub disabled_at: Option<DateTime<Utc>>,
     pub claims_imports: ClaimsImports,
     pub additional_authorization_parameters: Vec<(String, String)>,
+    pub forward_login_hint: bool,
 }
 
 impl PartialOrd for UpstreamOAuthProvider {

crates/handlers/src/upstream_oauth2/authorize.rs

@@ -94,9 +94,16 @@ pub(crate) async fn get(
 
     // Forward the raw login hint upstream for the provider to handle however it
     // sees fit
-    if let Some(PostAuthAction::ContinueAuthorizationGrant { id }) = &query.post_auth_action {
-        if let Some(grant) = repo.oauth2_authorization_grant().lookup(*id).await? {
-            data.login_hint = grant.login_hint;
+    if provider.forward_login_hint {
+        if let Some(PostAuthAction::ContinueAuthorizationGrant { id }) = &query.post_auth_action {
+            if let Some(login_hint) = repo
+                .oauth2_authorization_grant()
+                .lookup(*id)
+                .await?
+                .and_then(|grant| grant.login_hint)
+            {
+                data = data.with_login_hint(login_hint);
+            }
         }
     }
 

crates/handlers/src/upstream_oauth2/cache.rs

@@ -426,6 +426,7 @@ mod tests {
             disabled_at: None,
             claims_imports: UpstreamOAuthProviderClaimsImports::default(),
             additional_authorization_parameters: Vec::new(),
+            forward_login_hint: false,
         };
 
         // Without any override, it should just use discovery

crates/handlers/src/upstream_oauth2/link.rs

@@ -983,6 +983,7 @@ mod tests {
                     pkce_mode: mas_data_model::UpstreamOAuthProviderPkceMode::Auto,
                     response_mode: None,
                     additional_authorization_parameters: Vec::new(),
+                    forward_login_hint: false,
                     ui_order: 0,
                 },
             )

crates/handlers/src/views/login.rs

@@ -498,6 +498,7 @@ mod test {
                     pkce_mode: mas_data_model::UpstreamOAuthProviderPkceMode::Auto,
                     response_mode: None,
                     additional_authorization_parameters: Vec::new(),
+                    forward_login_hint: false,
                     ui_order: 0,
                 },
             )
@@ -539,6 +540,7 @@ mod test {
                     pkce_mode: mas_data_model::UpstreamOAuthProviderPkceMode::Auto,
                     response_mode: None,
                     additional_authorization_parameters: Vec::new(),
+                    forward_login_hint: false,
                     ui_order: 1,
                 },
             )