Skip to content

fix: support space-separated OIDC prompt parameter values#4083

Open
raajheshkannaa wants to merge 1 commit intoory:masterfrom
raajheshkannaa:feat/fix-oidc-prompt-parsing
Open

fix: support space-separated OIDC prompt parameter values#4083
raajheshkannaa wants to merge 1 commit intoory:masterfrom
raajheshkannaa:feat/fix-oidc-prompt-parsing

Conversation

@raajheshkannaa
Copy link
Copy Markdown

@raajheshkannaa raajheshkannaa commented Mar 18, 2026

Fixes #4039

  • The OIDC spec (Section 3.1.2.1) defines prompt as a space-separated list of values
  • The existing code compared the entire string against individual values, rejecting valid multi-value inputs like select_account consent
  • Split the prompt string by spaces and use slices.Contains to check for each recognized value
  • Adds test cases for multi-value prompt combinations

@raajheshkannaa
fix: support space-separated OIDC prompt parameter values
4252380 
The OIDC spec allows multiple prompt values separated by spaces
(e.g. "select_account consent"). The validator already handled this
correctly by splitting on spaces, but GenerateIDToken in strategy_jwt.go
used a switch statement on the raw unsplit string, causing prompt
values like "login consent" to skip login-specific validation.

Split the prompt parameter by space in GenerateIDToken and use
slices.Contains to check for individual values, consistent with
how the validator and consent strategy already handle it.

Fixes ory#4039
@raajheshkannaa raajheshkannaa requested review from a team and aeneasr as code owners March 18, 2026 03:32
@raajheshkannaa
Copy link
Copy Markdown
Author

raajheshkannaa commented Apr 1, 2026

The failing scanners check is unrelated to this PR's changes. It is caused by a known high-severity vulnerability in a transitive dependency (github.com/docker/cli via CVE-2025-15558 and GHSA-p436-gjf2-799p), which also triggers on the master branch. The last 5 scanner runs on master have all failed with the same issue.

This PR only modifies OpenID Connect prompt handling logic in Go source files and does not touch Docker images, dependencies, or the Dockerfile.

Could a maintainer re-trigger the check or add an exception for this known vulnerability so the PR can proceed?

@raajheshkannaa
Copy link
Copy Markdown
Author

raajheshkannaa commented Apr 8, 2026

Friendly ping. The failing scanners check is a pre-existing CVE in the base image, not introduced by this PR. Could a maintainer re-trigger or exempt it? Happy to help if there's anything else needed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aeneasr aeneasr Awaiting requested review from aeneasr aeneasr is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Unknown value '[select_account consent]' for prompt parameter

1 participant

@raajheshkannaa