feat: add login hint on authorization endpoint (#11)

* feat: add login hint on authorization endpoint

* feat: set login hint based on login_hint query param

* chore: update tests

* chore: add test for login hint

Author: ricklambrechts

src/Http/Controllers/LoginController.php

@@ -6,6 +6,7 @@
 
 use Exception;
 use Illuminate\Contracts\Support\Responsable;
+use Illuminate\Http\Request;
 use Jumbojett\OpenIDConnectClientException;
 use MinVWS\OpenIDConnectLaravel\Http\Responses\LoginResponseInterface;
 use MinVWS\OpenIDConnectLaravel\OpenIDConnectClient;
@@ -19,10 +20,11 @@ public function __construct(
     ) {
     }
 
-    public function __invoke(): Responsable
+    public function __invoke(Request $request): Responsable
     {
         // This redirects to the client and handles the redirect back
         try {
+            $this->client->setLoginHint($this->getLoginHint($request));
             $this->client->authenticate();
         } catch (OpenIDConnectClientException $e) {
             return $this->exceptionHandler->handleExceptionWhileAuthenticate($e);
@@ -43,4 +45,19 @@ public function __invoke(): Responsable
         // Return the user information in a response
         return app(LoginResponseInterface::class, ['userInfo' => $userInfo]);
     }
+
+    /**
+     * Get the login hint from the request.
+     * @param Request $request
+     * @return string|null
+     */
+    protected function getLoginHint(Request $request): ?string
+    {
+        $loginHint = $request->query('login_hint');
+        if (!is_string($loginHint)) {
+            return null;
+        }
+
+        return $loginHint;
+    }
 }

src/OpenIDConnectClient.php

@@ -23,6 +23,7 @@ class OpenIDConnectClient extends BaseOpenIDConnectClient
 {
     protected ?JweDecryptInterface $jweDecrypter;
     protected ?OpenIDConfiguration $openIDConfiguration;
+    protected ?string $loginHint = null;
 
     public function __construct(
         ?string $providerUrl = null,
@@ -118,14 +119,55 @@ protected function getWellKnownConfigValue($param, $default = null): string|arra
     }
 
     /**
-     * Overwrite the redirect method to use Laravel's abort method.
+     * Set login hint when redirecting to authorization endpoint.
+     * Is used when redirecting to the authorization endpoint.
+     * @param string|null $loginHint
+     * @return void
+     */
+    public function setLoginHint(?string $loginHint = null): void
+    {
+        $this->loginHint = $loginHint;
+    }
+
+    /**
+     * Overwrite the redirect method to a redirect method of Laravel.
+     * And add login_hint when redirecting to the authorization endpoint.
      * Sometimes the error 'Cannot modify header information - headers already sent' was thrown.
-     * By using Laravel's abort method, this error is prevented.
+     * By using HttpResponseException, laravel will return the given response.
      * @param string $url
      * @return void
+     * @throws OpenIDConnectClientException
      */
     public function redirect($url): void
     {
+        $authorizationEndpoint = $this->getAuthorizationEndpoint();
+        if (
+            !empty($this->loginHint)
+            && str_starts_with($url, $authorizationEndpoint)
+        ) {
+            $url .= "&" . http_build_query(['login_hint' => $this->loginHint]);
+        }
+
         throw new HttpResponseException(new RedirectResponse($url));
     }
+
+    /**
+     * Get authorization_endpoint from openid configuration.
+     * @throws OpenIDConnectClientException
+     */
+    protected function getAuthorizationEndpoint(): string
+    {
+        if ($this->openIDConfiguration !== null) {
+            return $this->openIDConfiguration->authorizationEndpoint;
+        }
+
+        $authorizationEndpoint = $this->getWellKnownConfigValue('authorization_endpoint');
+        if (!is_string($authorizationEndpoint)) {
+            throw new OpenIDConnectClientException(
+                'No authorization endpoint found in well-known config.'
+            );
+        }
+
+        return $authorizationEndpoint;
+    }
 }

tests/Feature/Http/Controllers/LoginControllerTest.php

@@ -35,10 +35,26 @@ public function testLoginRouteRedirectsToAuthorizeUrlOfProvider(): void
             ->assertRedirectContains("https://provider.rdobeheer.nl/authorize")
             ->assertRedirectContains('test-client-id');
     }
+    public function testLoginRouteRedirectsToAuthorizeUrlOfProviderWithLoginHint(): void
+    {
+        $this->mockOpenIDConfigurationLoader();
+
+        config()->set('oidc.client_id', 'test-client-id');
+
+        $response = $this->get(route('oidc.login', ['login_hint' => 'test-login-hint']));
+        $response
+            ->assertStatus(302)
+            ->assertRedirectContains("https://provider.rdobeheer.nl/authorize")
+            ->assertRedirectContains('test-client-id')
+            ->assertRedirectContains('login_hint=test-login-hint');
+    }
 
     public function testLoginRouteReturnsUserInfoWitchMockedClient(): void
     {
         $mockClient = Mockery::mock(OpenIDConnectClient::class);
+        $mockClient
+            ->shouldReceive('setLoginHint')
+            ->once();
         $mockClient
             ->shouldReceive('authenticate')
             ->once();

tests/Unit/Http/Controllers/LoginControllerTest.php

@@ -50,6 +50,9 @@ public function testLoginControllerCanBeCreated(): void
     public function testExceptionHandlerIsCalledWhenAuthenticateThrowsException(): void
     {
         $mockClient = Mockery::mock(OpenIDConnectClient::class);
+        $mockClient
+            ->shouldReceive('setLoginHint')
+            ->once();
         $mockClient
             ->shouldReceive('authenticate')
             ->andThrow(OpenIDConnectClientException::class);
@@ -64,12 +67,15 @@ public function testExceptionHandlerIsCalledWhenAuthenticateThrowsException(): v
             $mockExceptionHandler,
         );
 
-        $loginController->__invoke();
+        $loginController->__invoke(new Request());
     }
 
     public function testExceptionHandlerIsCalledWhenRequestUserInfoDoesNotReturnAnObject(): void
     {
         $mockClient = Mockery::mock(OpenIDConnectClient::class);
+        $mockClient
+            ->shouldReceive('setLoginHint')
+            ->once();
         $mockClient->shouldReceive('authenticate')->once();
         $mockClient
             ->shouldReceive('requestUserInfo')
@@ -89,12 +95,15 @@ public function testExceptionHandlerIsCalledWhenRequestUserInfoDoesNotReturnAnOb
             $mockExceptionHandler,
         );
 
-        $loginController->__invoke();
+        $loginController->__invoke(new Request());
     }
 
     public function testExceptionHandlerIsCalledWhenRequestUserInfoThrowsAnException(): void
     {
         $mockClient = Mockery::mock(OpenIDConnectClient::class);
+        $mockClient
+            ->shouldReceive('setLoginHint')
+            ->once();
         $mockClient->shouldReceive('authenticate')->once();
         $mockClient
             ->shouldReceive('requestUserInfo')
@@ -114,12 +123,15 @@ public function testExceptionHandlerIsCalledWhenRequestUserInfoThrowsAnException
             $mockExceptionHandler,
         );
 
-        $loginController->__invoke();
+        $loginController->__invoke(new Request());
     }
 
     public function testExceptionHandlerIsCalledWhenRequestUserInfoThrowsAnJweDecryptException(): void
     {
         $mockClient = Mockery::mock(OpenIDConnectClient::class);
+        $mockClient
+            ->shouldReceive('setLoginHint')
+            ->once();
         $mockClient->shouldReceive('authenticate')->once();
         $mockClient
             ->shouldReceive('requestUserInfo')
@@ -139,12 +151,15 @@ public function testExceptionHandlerIsCalledWhenRequestUserInfoThrowsAnJweDecryp
             $mockExceptionHandler,
         );
 
-        $loginController->__invoke();
+        $loginController->__invoke(new Request());
     }
 
     public function testLoginResponseIsReturnedWithUserInfo(): void
     {
         $mockClient = Mockery::mock(OpenIDConnectClient::class);
+        $mockClient
+            ->shouldReceive('setLoginHint')
+            ->once();
         $mockClient->shouldReceive('authenticate')->once();
         $mockClient
             ->shouldReceive('requestUserInfo')
@@ -158,7 +173,7 @@ public function testLoginResponseIsReturnedWithUserInfo(): void
             $mockExceptionHandler,
         );
 
-        $response = $loginController->__invoke();
+        $response = $loginController->__invoke(new Request());
 
         $this->assertInstanceOf(LoginResponseInterface::class, $response);
         $this->assertInstanceOf(Responsable::class, $response);
@@ -167,6 +182,9 @@ public function testLoginResponseIsReturnedWithUserInfo(): void
     public function testUserInfoIsReturned(): void
     {
         $mockClient = Mockery::mock(OpenIDConnectClient::class);
+        $mockClient
+            ->shouldReceive('setLoginHint')
+            ->once();
         $mockClient->shouldReceive('authenticate')->once();
         $mockClient
             ->shouldReceive('requestUserInfo')
@@ -180,7 +198,7 @@ public function testUserInfoIsReturned(): void
             $mockExceptionHandler,
         );
 
-        $loginResponse = $loginController->__invoke();
+        $loginResponse = $loginController->__invoke(new Request());
         $response = $loginResponse->toResponse(Mockery::mock(Request::class));
 
         $this->assertSame(json_encode([