okta · oleksandrpravosudko-okta · Jan 24, 2022 · Jan 24, 2022
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,9 @@
+# 4.5.0
+
+### Features
+
+- [#40](https://github.com/okta/okta-oidc-middleware/pull/34) Allows passing `loginHint` to `ensureAuthenticated`
+
 # 4.4.0
 
 ### Bug Fixes

diff --git a/README.md b/README.md
@@ -217,7 +217,7 @@ oidc.on('error', err => {
 });
 ```
 
-#### oidc.ensureAuthenticated({ redirectTo?: '/uri' })
+#### oidc.ensureAuthenticated({ redirectTo?: '/uri', loginHint?: 'username' })
 
 Use this to protect your routes. If not authenticated, this will redirect to the login route and trigger the authentication flow. If the request prefers JSON then a 401 error response will be sent.
 
@@ -229,6 +229,8 @@ app.get('/protected', oidc.ensureAuthenticated(), (req, res) => {
 
 The `redirectTo` option can be used to redirect the user to a specific URI on your site after a successful authentication callback.
 
+Passing `loginHint` option will append `login_hint` query parameter to URL when redirecting to Okta-hosted sign in page.
+
 #### oidc.forceLogoutAndRevoke()
 
 Use this to define a route that will force a logout of the user from Okta and the local session.  Because logout involves redirecting to Okta and then to the logout callback URI, the body of this route will never directly execute.  It is recommended to not perform logout on GET queries as it is prone to attacks and/or prefetching misadventures.

diff --git a/src/.eslintrc.json b/src/.eslintrc.json
@@ -1,5 +1,8 @@
 {
   "env": {
     "node": true
+  },
+  "parserOptions": {
+    "ecmaVersion": 2018
   }
 }
diff --git a/src/connectUtil.js b/src/connectUtil.js
@@ -44,8 +44,8 @@ connectUtil.createOIDCRouter = context => {
 };
 
 connectUtil.createLoginHandler = context => {
-  const passportHandler = passport.authenticate('oidc');
   const csrfProtection = csrf();
+  const ALLOWED_OPTIONS = ['login_hint'];
 
   return function(req, res, next) {
     const viewHandler = context.options.routes.login.viewHandler;
@@ -76,6 +76,15 @@ connectUtil.createLoginHandler = context => {
         return res.redirect(authorizationUrl);
       });
     }
+    const options = Object.keys(req.query).reduce((opts, option) => {
+      return ALLOWED_OPTIONS.includes(option) ? {
+        ...opts,
+        [option]: req.query[option]
+      } : {
+        ...opts
+      }
+    }, {})
+    const passportHandler = passport.authenticate('oidc', options);
     return passportHandler.apply(this, arguments);
   }
 };

diff --git a/src/oidcUtil.js b/src/oidcUtil.js
@@ -47,6 +47,17 @@ function customizeUserAgent(options) {
   return options;
 }
 
+function appendOptionsToQuery(url, options) {
+  if (options.loginHint) {
+    const urlObject = new URL(url, 'relative:///');
+    const searchParams = urlObject.searchParams;
+    searchParams.append('login_hint', options.loginHint);
+    // extend original query (if any)
+    return `${url.split('?').shift()}${urlObject.search}`;
+  }
+  return url;
+}
+
 oidcUtil.createClient = context => {
   const {
     issuer,
@@ -133,9 +144,8 @@ oidcUtil.ensureAuthenticated = (context, options = {}) => {
         if (req.session) {
           req.session.returnTo = req.originalUrl || req.url;
         }
-
         const url = options.redirectTo || context.options.routes.login.path;
-        return res.redirect(url);
+        return res.redirect(appendOptionsToQuery(url, options));
       }
 
       next();

diff --git a/test/unit/connectUtil.spec.js b/test/unit/connectUtil.spec.js
@@ -0,0 +1,44 @@
+const connectUtil = require('../../src/connectUtil.js');
+
+jest.mock('csurf', function () {
+  return function () {
+
+  }
+});
+
+var mockAuthenticate;
+jest.mock('passport', function () {
+  mockAuthenticate = jest.fn().mockReturnValue(() => {})
+  return {
+    authenticate: mockAuthenticate
+  }
+})
+
+
+
+describe('connectUtil', function () {
+  describe('createLoginHandler', function () {
+    it('passes known options to passport handler initializer', function () {
+      const loginHandler = connectUtil.createLoginHandler({
+        options: {
+          routes: {
+            login: {
+            }
+          }
+        }
+      });
+      const res = {};
+      const req = {
+        query: {
+          login_hint: 'username@org.org',
+          chown_base: true
+        }
+      };
+
+      loginHandler(req, res);
+      expect(mockAuthenticate).toBeCalledWith('oidc', {
+        login_hint: 'username@org.org'
+      });
+    });
+  });
+});
diff --git a/test/unit/oidcUtil.spec.js b/test/unit/oidcUtil.spec.js
@@ -2,6 +2,16 @@ const passport = require('passport');
 const OpenIdClient = require('openid-client');
 const oidcUtil = require('../../src/oidcUtil.js');
 
+jest.mock('negotiator', function () {
+  return function () {
+      return {
+        mediaType: function () {
+          return 'text/html';
+        }
+      }
+    }
+});
+
 function createMockOpenIdClient(config={}) {
   const Issuer = OpenIdClient.Issuer;
 
@@ -94,6 +104,21 @@ describe('oidcUtil', function () {
         expect(error).toEqual(undefined);
       };
       passportStrategy.authenticate(createMockRedirectRequest());
-    })
-  })
+    });
+  });
+
+  describe('ensureAuthenticated', () => {
+    it('appends known options to redirect URL', () => {
+      const requestHandler = oidcUtil.ensureAuthenticated({}, {
+        redirectTo: '/login',
+        loginHint: 'username@org.org'
+      });
+      let req = jest.mock();
+      let res = {
+        redirect: jest.fn()
+      };
+      requestHandler(req, res, () => {});
+      expect(res.redirect).toBeCalledWith('/login?login_hint=username%40org.org');
+    });
+  });
 })