From a598e45bd752126ae7d0764fa4d5687f403e8e06 Mon Sep 17 00:00:00 2001
From: Tim Otten <totten@civicrm.org>
Date: Mon, 2 Nov 2020 01:41:13 -0800
Subject: [PATCH] dev/core#2141 - Set prompt=select_account whenever using
 MailSetup

If you're an admin setting up an email return-channel, then you may not
intend to use your normal email account.  It makes sense to always prompt
for the preferred account.
---
 ext/oauth-client/CRM/OAuth/MailSetup.php      |  1 +
 .../Action/OAuthClient/AuthorizationCode.php  | 23 +++++++++++++++----
 .../Civi/OAuth/CiviGenericProvider.php        | 10 ++++++++
 3 files changed, 30 insertions(+), 4 deletions(-)

diff --git a/ext/oauth-client/CRM/OAuth/MailSetup.php b/ext/oauth-client/CRM/OAuth/MailSetup.php
index d12a03a5d0..2ed9c01751 100644
--- a/ext/oauth-client/CRM/OAuth/MailSetup.php
+++ b/ext/oauth-client/CRM/OAuth/MailSetup.php
@@ -46,6 +46,7 @@ class CRM_OAuth_MailSetup {
       ->addWhere('id', '=', $setupAction['oauth_client_id'])
       ->setStorage('OAuthSysToken')
       ->setTag('MailSettings:setup')
+      ->setPrompt('select_account')
       ->execute()
       ->single();
 
diff --git a/ext/oauth-client/Civi/Api4/Action/OAuthClient/AuthorizationCode.php b/ext/oauth-client/Civi/Api4/Action/OAuthClient/AuthorizationCode.php
index 3868973be0..8accac29c1 100644
--- a/ext/oauth-client/Civi/Api4/Action/OAuthClient/AuthorizationCode.php
+++ b/ext/oauth-client/Civi/Api4/Action/OAuthClient/AuthorizationCode.php
@@ -24,6 +24,8 @@ use Civi\Api4\Generic\Result;
  *
  * @method $this setLandingUrl(string $landingUrl)
  * @method string getLandingUrl()
+ * @method $this setPrompt(string $prompt)
+ * @method string getPrompt()
  *
  * @link https://tools.ietf.org/html/rfc6749#section-4.1
  */
@@ -39,6 +41,15 @@ class AuthorizationCode extends AbstractGrantAction {
    */
   protected $landingUrl = NULL;
 
+  /**
+   * @var string
+   *   Ex: 'none', 'consent', 'select_account'
+   *
+   * @see https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow
+   * @see https://developers.google.com/identity/protocols/oauth2/web-server
+   */
+  protected $prompt = NULL;
+
   /**
    * Tee-up the authorization request.
    *
@@ -63,11 +74,15 @@ class AuthorizationCode extends AbstractGrantAction {
       'scopes' => $scopes,
       'tag' => $this->getTag(),
     ]);
+    $authOptions = [
+      'state' => $stateId,
+      'scope' => $scopes,
+    ];
+    if ($this->prompt !== NULL) {
+      $authOptions['prompt'] = $this->prompt;
+    }
     $result[] = [
-      'url' => $provider->getAuthorizationUrl([
-        'state' => $stateId,
-        'scope' => $scopes,
-      ]),
+      'url' => $provider->getAuthorizationUrl($authOptions),
     ];
   }
 
diff --git a/ext/oauth-client/Civi/OAuth/CiviGenericProvider.php b/ext/oauth-client/Civi/OAuth/CiviGenericProvider.php
index 03969977be..677c21d6fd 100644
--- a/ext/oauth-client/Civi/OAuth/CiviGenericProvider.php
+++ b/ext/oauth-client/Civi/OAuth/CiviGenericProvider.php
@@ -3,4 +3,14 @@ namespace Civi\OAuth;
 
 class CiviGenericProvider extends \League\OAuth2\Client\Provider\GenericProvider {
 
+  protected function getAuthorizationParameters(array $options) {
+    $newOptions = parent::getAuthorizationParameters($options);
+    if (!isset($options['approval_prompt'])) {
+      // GenericProvider insists on filling in "approval_prompt", but this seems
+      // to be disfavored nowadays b/c OpenID Connect defines "prompt".
+      unset($newOptions['approval_prompt']);
+    }
+    return $newOptions;
+  }
+
 }
-- 
2.25.1