Add a flag to set the value of "approval_prompt".

By setting this to "force", certain providers, like Google,
will interject an additional prompt on every new session. With other values,
like "auto", this prompt is not forced upon the user.

README.md

@@ -94,6 +94,7 @@ An example [oauth2_proxy.cfg](contrib/oauth2_proxy.cfg.example) config file is i
 
 ```
 Usage of oauth2_proxy:
+  -approval_prompt="force": Oauth approval_prompt
   -authenticated-emails-file="": authenticate against emails via file (one per line)
   -client-id="": the OAuth Client ID: ie: "123456.apps.googleusercontent.com"
   -client-secret="": the OAuth Client Secret

main.go

@@ -63,6 +63,7 @@ func main() {
 	flagSet.String("profile-url", "", "Profile access endpoint")
 	flagSet.String("validate-url", "", "Access token validation endpoint")
 	flagSet.String("scope", "", "Oauth scope specification")
+	flagSet.String("approval-prompt", "force", "Oauth approval_prompt")
 
 	flagSet.Parse(os.Args[1:])
 

options.go

@@ -46,12 +46,13 @@ type Options struct {
 
 	// These options allow for other providers besides Google, with
 	// potential overrides.
-	Provider    string `flag:"provider" cfg:"provider"`
+	Provider       string `flag:"provider" cfg:"provider"`
-	LoginUrl    string `flag:"login-url" cfg:"login_url"`
+	LoginUrl       string `flag:"login-url" cfg:"login_url"`
-	RedeemUrl   string `flag:"redeem-url" cfg:"redeem_url"`
+	RedeemUrl      string `flag:"redeem-url" cfg:"redeem_url"`
-	ProfileUrl  string `flag:"profile-url" cfg:"profile_url"`
+	ProfileUrl     string `flag:"profile-url" cfg:"profile_url"`
-	ValidateUrl string `flag:"validate-url" cfg:"validate_url"`
+	ValidateUrl    string `flag:"validate-url" cfg:"validate_url"`
-	Scope       string `flag:"scope" cfg:"scope"`
+	Scope          string `flag:"scope" cfg:"scope"`
+	ApprovalPrompt string `flag:"approval-prompt" cfg:"approval_prompt"`
 
 	RequestLogging bool `flag:"request-logging" cfg:"request_logging"`
 
@@ -76,6 +77,7 @@ func NewOptions() *Options {
 		PassBasicAuth:       true,
 		PassAccessToken:     false,
 		PassHostHeader:      true,
+		ApprovalPrompt:      "force",
 		RequestLogging:      true,
 	}
 }
@@ -165,7 +167,12 @@ func (o *Options) Validate() error {
 }
 
 func parseProviderInfo(o *Options, msgs []string) []string {
-	p := &providers.ProviderData{Scope: o.Scope, ClientID: o.ClientID, ClientSecret: o.ClientSecret}
+	p := &providers.ProviderData{
+		Scope:          o.Scope,
+		ClientID:       o.ClientID,
+		ClientSecret:   o.ClientSecret,
+		ApprovalPrompt: o.ApprovalPrompt,
+	}
 	p.LoginUrl, msgs = parseUrl(o.LoginUrl, "login", msgs)
 	p.RedeemUrl, msgs = parseUrl(o.RedeemUrl, "redeem", msgs)
 	p.ProfileUrl, msgs = parseUrl(o.ProfileUrl, "profile", msgs)

providers/provider_data.go

@@ -5,14 +5,15 @@ import (
 )
 
 type ProviderData struct {
-	ProviderName string
+	ProviderName   string
-	ClientID     string
+	ClientID       string
-	ClientSecret string
+	ClientSecret   string
-	LoginUrl     *url.URL
+	LoginUrl       *url.URL
-	RedeemUrl    *url.URL
+	RedeemUrl      *url.URL
-	ProfileUrl   *url.URL
+	ProfileUrl     *url.URL
-	ValidateUrl  *url.URL
+	ValidateUrl    *url.URL
-	Scope        string
+	Scope          string
+	ApprovalPrompt string
 }
 
 func (p *ProviderData) Data() *ProviderData { return p }

providers/provider_default.go

@@ -80,7 +80,7 @@ func (p *ProviderData) GetLoginURL(redirectURI, finalRedirect string) string {
 	a = *p.LoginUrl
 	params, _ := url.ParseQuery(a.RawQuery)
 	params.Set("redirect_uri", redirectURI)
-	params.Set("approval_prompt", "force")
+	params.Set("approval_prompt", p.ApprovalPrompt)
 	params.Add("scope", p.Scope)
 	params.Set("client_id", p.ClientID)
 	params.Set("response_type", "code")