feat(idp): support prompt=none

Author: pennersr

allauth/idp/oidc/internal/oauthlib/request_validator.py

@@ -377,7 +377,17 @@ def rotate_refresh_token(self, request):
         return app_settings.ROTATE_REFRESH_TOKEN
 
     def validate_silent_login(self, request) -> bool:
+        if context.request.user.is_authenticated:
+            request.user = context.request.user
+            return True
         return False
 
     def validate_silent_authorization(self, request) -> bool:
-        return False
+        granted_scopes = set()
+        tokens = Token.objects.valid().filter(
+            user=context.request.user,
+            type__in=[Token.Type.REFRESH_TOKEN, Token.Type.ACCESS_TOKEN],
+        )
+        for token in tokens.iterator():
+            granted_scopes.update(token.get_scopes())
+        return set(request.scopes).issubset(granted_scopes)

allauth/idp/oidc/tests/test_authorization.py

@@ -400,3 +400,43 @@ def test_redirect_to_login_with_prompt_login(
         assert params["prompt"][0] == next_prompt
     else:
         assert "prompt" not in params
+
+
+@pytest.mark.parametrize(
+    "client_fixture,scope,error",
+    [
+        ("auth_client", "openid", None),
+        ("auth_client", "openid profile", "consent_required"),
+        ("client", "openid", "login_required"),
+    ],
+)
+def test_prompt_none(
+    request,
+    client_fixture,
+    scope,
+    error,
+    oidc_client,
+    user,
+    access_token_generator,
+):
+    access_token_generator(oidc_client, user, scopes=["openid"])
+    client = request.getfixturevalue(client_fixture)
+    redirect_uri = oidc_client.get_redirect_uris()[0]
+    resp = client.get(
+        reverse("idp:oidc:authorization")
+        + "?"
+        + urlencode(
+            {
+                "client_id": oidc_client.id,
+                "response_type": "code",
+                "scope": scope,
+                "redirect_uri": redirect_uri,
+                "prompt": "none",
+            }
+        )
+    )
+    assert resp.status_code == HTTPStatus.FOUND
+    if error:
+        assert resp["location"] == "https://client/callback?error=" + error
+    else:
+        assert resp["location"].startswith("https://client/callback?code=")

allauth/idp/oidc/views.py

@@ -88,9 +88,16 @@ def get(self, request, *args, **kwargs):
             return response
         orequest = extract_params(self.request)
         try:
-            self._scopes, self._request_info = (
-                get_server().validate_authorization_request(*orequest)
+            server = get_server()
+            self._scopes, self._request_info = server.validate_authorization_request(
+                *orequest
             )
+            if "none" in self._request_info.get("prompt", ()):
+                oresponse = server.create_authorization_response(
+                    *orequest, scopes=self._scopes
+                )
+                return convert_response(*oresponse)
+
         # Errors that should be shown to the user on the provider website
         except errors.FatalClientError as e:
             return respond_html_error(request, e)
@@ -134,6 +141,8 @@ def _login_required(self, request) -> Optional[HttpResponse]:
             prompts = prompt.split()
         if "login" in prompts:
             return self._handle_login_prompt(request, prompts)
+        if "none" in prompts:
+            return None
         if request.user.is_authenticated:
             return None
         return login_required()(None)(request)  # type:ignore[misc,type-var]