From 324c3c358523e317c8fbb7c31e1e0a6644fda5ca Mon Sep 17 00:00:00 2001
From: msroz <masaru95@gmail.com>
Date: Mon, 5 Aug 2024 08:37:24 +0900
Subject: [PATCH] feat: support prompt=create

---
 consent/strategy_default.go                   |  2 +-
 ...estHandlerWellKnown-hsm_enabled=false.json |  6 ++++++
 ...TestHandlerWellKnown-hsm_enabled=true.json |  6 ++++++
 oauth2/handler.go                             |  6 ++++++
 oauth2/oauth2_auth_code_test.go               | 21 +++++++++++++++++++
 spec/config.json                              |  2 +-
 6 files changed, 41 insertions(+), 2 deletions(-)

diff --git a/consent/strategy_default.go b/consent/strategy_default.go
index 117fba92548..be2c0cf659f 100644
--- a/consent/strategy_default.go
+++ b/consent/strategy_default.go
@@ -280,7 +280,7 @@ func (s *DefaultStrategy) forwardAuthenticationRequest(ctx context.Context, w ht
 	}
 
 	var baseURL *url.URL
-	if stringslice.Has(prompt, "registration") {
+	if stringslice.Has(prompt, "registration") || stringslice.Has(prompt, "create") {
 		baseURL = s.c.RegistrationURL(ctx)
 	} else {
 		baseURL = s.c.LoginURL(ctx)
diff --git a/oauth2/.snapshots/TestHandlerWellKnown-hsm_enabled=false.json b/oauth2/.snapshots/TestHandlerWellKnown-hsm_enabled=false.json
index 215fa018214..9e4c89a0f8c 100644
--- a/oauth2/.snapshots/TestHandlerWellKnown-hsm_enabled=false.json
+++ b/oauth2/.snapshots/TestHandlerWellKnown-hsm_enabled=false.json
@@ -97,5 +97,11 @@
   "userinfo_signing_alg_values_supported": [
     "none",
     "RS256"
+  ],
+  "prompt_values_supported": [
+    "none",
+    "login",
+    "consent",
+    "select_account"
   ]
 }
diff --git a/oauth2/.snapshots/TestHandlerWellKnown-hsm_enabled=true.json b/oauth2/.snapshots/TestHandlerWellKnown-hsm_enabled=true.json
index 215fa018214..9e4c89a0f8c 100644
--- a/oauth2/.snapshots/TestHandlerWellKnown-hsm_enabled=true.json
+++ b/oauth2/.snapshots/TestHandlerWellKnown-hsm_enabled=true.json
@@ -97,5 +97,11 @@
   "userinfo_signing_alg_values_supported": [
     "none",
     "RS256"
+  ],
+  "prompt_values_supported": [
+    "none",
+    "login",
+    "consent",
+    "select_account"
   ]
 }
diff --git a/oauth2/handler.go b/oauth2/handler.go
index abbae730d9a..9b275701182 100644
--- a/oauth2/handler.go
+++ b/oauth2/handler.go
@@ -427,6 +427,11 @@ type oidcConfiguration struct {
 	//
 	// JSON array containing a list of the Verifiable Credentials supported by this authorization server.
 	CredentialsSupportedDraft00 []CredentialSupportedDraft00 `json:"credentials_supported_draft_00"`
+
+	// Initiating User Registration via OpenID Connect 1.0
+	//
+	// JSON array containing the list of prompt values that this OP supports.
+	PromptValuesSupported []string `json:"prompt_values_supported"`
 }
 
 // Verifiable Credentials Metadata (Draft 00)
@@ -521,6 +526,7 @@ func (h *Handler) discoverOidcConfiguration(w http.ResponseWriter, r *http.Reque
 				"EdDSA",
 			},
 		}},
+		PromptValuesSupported: []string{"none", "login", "consent", "select_account", "create"},
 	})
 }
 
diff --git a/oauth2/oauth2_auth_code_test.go b/oauth2/oauth2_auth_code_test.go
index aa6934062ed..bf434bdc779 100644
--- a/oauth2/oauth2_auth_code_test.go
+++ b/oauth2/oauth2_auth_code_test.go
@@ -648,6 +648,27 @@ func TestAuthCodeWithDefaultStrategy(t *testing.T) {
 
 		assertIDToken(t, token, conf, subject, nonce, time.Now().Add(reg.Config().GetIDTokenLifespan(ctx)))
 	})
+	t.Run("case=perform flow with prompt=create", func(t *testing.T) {
+		c, conf := newOAuth2Client(t, reg, testhelpers.NewCallbackURL(t, "callback", testhelpers.HTTPServerNotImplementedHandler))
+
+		regUI := httptest.NewServer(acceptLoginHandler(t, c, subject, nil))
+		t.Cleanup(regUI.Close)
+		reg.Config().MustSet(ctx, config.KeyRegistrationURL, regUI.URL)
+
+		testhelpers.NewLoginConsentUI(t, reg.Config(),
+			nil,
+			acceptConsentHandler(t, c, subject, nil))
+
+		code, _ := getAuthorizeCode(t, conf, nil,
+			oauth2.SetAuthURLParam("prompt", "create"),
+			oauth2.SetAuthURLParam("nonce", nonce))
+		require.NotEmpty(t, code)
+
+		token, err := conf.Exchange(context.Background(), code)
+		require.NoError(t, err)
+
+		assertIDToken(t, token, conf, subject, nonce, time.Now().Add(reg.Config().GetIDTokenLifespan(ctx)))
+	})
 
 	t.Run("case=perform flow with audience", func(t *testing.T) {
 		expectAud := "https://api.ory.sh/"
diff --git a/spec/config.json b/spec/config.json
index 9899db71df0..0a8052ccea7 100644
--- a/spec/config.json
+++ b/spec/config.json
@@ -778,7 +778,7 @@
         },
         "registration": {
           "type": "string",
-          "description": "Sets the OAuth2 Registration Endpoint URL of the OAuth2 User Login & Consent flow. Defaults to the same value as `login`. The registration URL is used if the authorization request was started with the `prompt=registration` parameter.",
+          "description": "Sets the OAuth2 Registration Endpoint URL of the OAuth2 User Login & Consent flow. Defaults to the same value as `login`. The registration URL is used if the authorization request was started with the `prompt=registration` or `prompt=create` parameter.",
           "format": "uri-reference",
           "examples": [
             "https://my-login.app/registration",