From 33045a792bec5b48fb061501bca95f15403846dc Mon Sep 17 00:00:00 2001
From: Ed Bardsley <ebardsley@gmail.com>
Date: Sat, 25 Jul 2015 16:27:49 -0700
Subject: [PATCH] Add a flag to set the value of "approval_prompt".

By setting this to "force", certain providers, like Google,
will interject an additional prompt on every new session. With other values,
like "auto", this prompt is not forced upon the user.
---
 README.md                     |  1 +
 main.go                       |  1 +
 options.go                    | 21 ++++++++++++++-------
 providers/provider_data.go    | 17 +++++++++--------
 providers/provider_default.go |  2 +-
 5 files changed, 26 insertions(+), 16 deletions(-)

diff --git a/README.md b/README.md
index 370f100..35fced3 100644
--- a/README.md
+++ b/README.md
@@ -94,6 +94,7 @@ An example [oauth2_proxy.cfg](contrib/oauth2_proxy.cfg.example) config file is i
 
 ```
 Usage of oauth2_proxy:
+  -approval_prompt="force": Oauth approval_prompt
   -authenticated-emails-file="": authenticate against emails via file (one per line)
   -client-id="": the OAuth Client ID: ie: "123456.apps.googleusercontent.com"
   -client-secret="": the OAuth Client Secret
diff --git a/main.go b/main.go
index e752409..79f349c 100644
--- a/main.go
+++ b/main.go
@@ -63,6 +63,7 @@ func main() {
 	flagSet.String("profile-url", "", "Profile access endpoint")
 	flagSet.String("validate-url", "", "Access token validation endpoint")
 	flagSet.String("scope", "", "Oauth scope specification")
+	flagSet.String("approval-prompt", "force", "Oauth approval_prompt")
 
 	flagSet.Parse(os.Args[1:])
 
diff --git a/options.go b/options.go
index 99e0ef4..56ab944 100644
--- a/options.go
+++ b/options.go
@@ -46,12 +46,13 @@ type Options struct {
 
 	// These options allow for other providers besides Google, with
 	// potential overrides.
-	Provider    string `flag:"provider" cfg:"provider"`
-	LoginUrl    string `flag:"login-url" cfg:"login_url"`
-	RedeemUrl   string `flag:"redeem-url" cfg:"redeem_url"`
-	ProfileUrl  string `flag:"profile-url" cfg:"profile_url"`
-	ValidateUrl string `flag:"validate-url" cfg:"validate_url"`
-	Scope       string `flag:"scope" cfg:"scope"`
+	Provider       string `flag:"provider" cfg:"provider"`
+	LoginUrl       string `flag:"login-url" cfg:"login_url"`
+	RedeemUrl      string `flag:"redeem-url" cfg:"redeem_url"`
+	ProfileUrl     string `flag:"profile-url" cfg:"profile_url"`
+	ValidateUrl    string `flag:"validate-url" cfg:"validate_url"`
+	Scope          string `flag:"scope" cfg:"scope"`
+	ApprovalPrompt string `flag:"approval-prompt" cfg:"approval_prompt"`
 
 	RequestLogging bool `flag:"request-logging" cfg:"request_logging"`
 
@@ -76,6 +77,7 @@ func NewOptions() *Options {
 		PassBasicAuth:       true,
 		PassAccessToken:     false,
 		PassHostHeader:      true,
+		ApprovalPrompt:      "force",
 		RequestLogging:      true,
 	}
 }
@@ -165,7 +167,12 @@ func (o *Options) Validate() error {
 }
 
 func parseProviderInfo(o *Options, msgs []string) []string {
-	p := &providers.ProviderData{Scope: o.Scope, ClientID: o.ClientID, ClientSecret: o.ClientSecret}
+	p := &providers.ProviderData{
+		Scope:          o.Scope,
+		ClientID:       o.ClientID,
+		ClientSecret:   o.ClientSecret,
+		ApprovalPrompt: o.ApprovalPrompt,
+	}
 	p.LoginUrl, msgs = parseUrl(o.LoginUrl, "login", msgs)
 	p.RedeemUrl, msgs = parseUrl(o.RedeemUrl, "redeem", msgs)
 	p.ProfileUrl, msgs = parseUrl(o.ProfileUrl, "profile", msgs)
diff --git a/providers/provider_data.go b/providers/provider_data.go
index 40cda04..6ddfed1 100644
--- a/providers/provider_data.go
+++ b/providers/provider_data.go
@@ -5,14 +5,15 @@ import (
 )
 
 type ProviderData struct {
-	ProviderName string
-	ClientID     string
-	ClientSecret string
-	LoginUrl     *url.URL
-	RedeemUrl    *url.URL
-	ProfileUrl   *url.URL
-	ValidateUrl  *url.URL
-	Scope        string
+	ProviderName   string
+	ClientID       string
+	ClientSecret   string
+	LoginUrl       *url.URL
+	RedeemUrl      *url.URL
+	ProfileUrl     *url.URL
+	ValidateUrl    *url.URL
+	Scope          string
+	ApprovalPrompt string
 }
 
 func (p *ProviderData) Data() *ProviderData { return p }
diff --git a/providers/provider_default.go b/providers/provider_default.go
index b18212f..d0b46b9 100644
--- a/providers/provider_default.go
+++ b/providers/provider_default.go
@@ -80,7 +80,7 @@ func (p *ProviderData) GetLoginURL(redirectURI, finalRedirect string) string {
 	a = *p.LoginUrl
 	params, _ := url.ParseQuery(a.RawQuery)
 	params.Set("redirect_uri", redirectURI)
-	params.Set("approval_prompt", "force")
+	params.Set("approval_prompt", p.ApprovalPrompt)
 	params.Add("scope", p.Scope)
 	params.Set("client_id", p.ClientID)
 	params.Set("response_type", "code")