Add a flag to set the value of "approval_prompt".

By setting this to "force", certain providers, like Google,
will interject an additional prompt on every new session. With other values,
like "auto", this prompt is not forced upon the user.

README.md

@@ -94,6 +94,7 @@ An example [oauth2_proxy.cfg](contrib/oauth2_proxy.cfg.example) config file is i
 
 ```
 Usage of oauth2_proxy:
+  -approval_prompt="force": Oauth approval_prompt
   -authenticated-emails-file="": authenticate against emails via file (one per line)
   -client-id="": the OAuth Client ID: ie: "123456.apps.googleusercontent.com"
   -client-secret="": the OAuth Client Secret

main.go

@@ -63,6 +63,7 @@ func main() {
 	flagSet.String("profile-url", "", "Profile access endpoint")
 	flagSet.String("validate-url", "", "Access token validation endpoint")
 	flagSet.String("scope", "", "Oauth scope specification")
+	flagSet.String("approval-prompt", "force", "Oauth approval_prompt")
 
 	flagSet.Parse(os.Args[1:])
 

options.go

@@ -46,12 +46,13 @@ type Options struct {
 
 	// These options allow for other providers besides Google, with
 	// potential overrides.
-	Provider    string `flag:"provider" cfg:"provider"`
-	LoginUrl    string `flag:"login-url" cfg:"login_url"`
-	RedeemUrl   string `flag:"redeem-url" cfg:"redeem_url"`
-	ProfileUrl  string `flag:"profile-url" cfg:"profile_url"`
-	ValidateUrl string `flag:"validate-url" cfg:"validate_url"`
-	Scope       string `flag:"scope" cfg:"scope"`
+	Provider       string `flag:"provider" cfg:"provider"`
+	LoginUrl       string `flag:"login-url" cfg:"login_url"`
+	RedeemUrl      string `flag:"redeem-url" cfg:"redeem_url"`
+	ProfileUrl     string `flag:"profile-url" cfg:"profile_url"`
+	ValidateUrl    string `flag:"validate-url" cfg:"validate_url"`
+	Scope          string `flag:"scope" cfg:"scope"`
+	ApprovalPrompt string `flag:"approval-prompt" cfg:"approval_prompt"`
 
 	RequestLogging bool `flag:"request-logging" cfg:"request_logging"`
 
@@ -76,6 +77,7 @@ func NewOptions() *Options {
 		PassBasicAuth:       true,
 		PassAccessToken:     false,
 		PassHostHeader:      true,
+		ApprovalPrompt:      "force",
 		RequestLogging:      true,
 	}
 }
@@ -165,7 +167,12 @@ func (o *Options) Validate() error {
 }
 
 func parseProviderInfo(o *Options, msgs []string) []string {
-	p := &providers.ProviderData{Scope: o.Scope, ClientID: o.ClientID, ClientSecret: o.ClientSecret}
+	p := &providers.ProviderData{
+		Scope:          o.Scope,
+		ClientID:       o.ClientID,
+		ClientSecret:   o.ClientSecret,
+		ApprovalPrompt: o.ApprovalPrompt,
+	}
 	p.LoginUrl, msgs = parseUrl(o.LoginUrl, "login", msgs)
 	p.RedeemUrl, msgs = parseUrl(o.RedeemUrl, "redeem", msgs)
 	p.ProfileUrl, msgs = parseUrl(o.ProfileUrl, "profile", msgs)

providers/provider_data.go

@@ -5,14 +5,15 @@ import (
 )
 
 type ProviderData struct {
-	ProviderName string
-	ClientID     string
-	ClientSecret string
-	LoginUrl     *url.URL
-	RedeemUrl    *url.URL
-	ProfileUrl   *url.URL
-	ValidateUrl  *url.URL
-	Scope        string
+	ProviderName   string
+	ClientID       string
+	ClientSecret   string
+	LoginUrl       *url.URL
+	RedeemUrl      *url.URL
+	ProfileUrl     *url.URL
+	ValidateUrl    *url.URL
+	Scope          string
+	ApprovalPrompt string
 }
 
 func (p *ProviderData) Data() *ProviderData { return p }

providers/provider_default.go

@@ -80,7 +80,7 @@ func (p *ProviderData) GetLoginURL(redirectURI, finalRedirect string) string {
 	a = *p.LoginUrl
 	params, _ := url.ParseQuery(a.RawQuery)
 	params.Set("redirect_uri", redirectURI)
-	params.Set("approval_prompt", "force")
+	params.Set("approval_prompt", p.ApprovalPrompt)
 	params.Add("scope", p.Scope)
 	params.Set("client_id", p.ClientID)
 	params.Set("response_type", "code")