feat: support prompt=create

consent/strategy_default.go

@@ -280,7 +280,7 @@ func (s *DefaultStrategy) forwardAuthenticationRequest(ctx context.Context, w ht
 	}
 
 	var baseURL *url.URL
-	if stringslice.Has(prompt, "registration") {
+	if stringslice.Has(prompt, "registration") || stringslice.Has(prompt, "create") {
 		baseURL = s.c.RegistrationURL(ctx)
 	} else {
 		baseURL = s.c.LoginURL(ctx)

oauth2/.snapshots/TestHandlerWellKnown-hsm_enabled=false.json

@@ -97,5 +97,11 @@
   "userinfo_signing_alg_values_supported": [
     "none",
     "RS256"
+  ],
+  "prompt_values_supported": [
+    "none",
+    "login",
+    "consent",
+    "select_account"
   ]
 }

oauth2/.snapshots/TestHandlerWellKnown-hsm_enabled=true.json

@@ -97,5 +97,11 @@
   "userinfo_signing_alg_values_supported": [
     "none",
     "RS256"
+  ],
+  "prompt_values_supported": [
+    "none",
+    "login",
+    "consent",
+    "select_account"
   ]
 }

oauth2/handler.go

@@ -427,6 +427,11 @@ type oidcConfiguration struct {
 	//
 	// JSON array containing a list of the Verifiable Credentials supported by this authorization server.
 	CredentialsSupportedDraft00 []CredentialSupportedDraft00 `json:"credentials_supported_draft_00"`
+
+	// Initiating User Registration via OpenID Connect 1.0
+	//
+	// JSON array containing the list of prompt values that this OP supports.
+	PromptValuesSupported []string `json:"prompt_values_supported"`
 }
 
 // Verifiable Credentials Metadata (Draft 00)
@@ -521,6 +526,7 @@ func (h *Handler) discoverOidcConfiguration(w http.ResponseWriter, r *http.Reque
 				"EdDSA",
 			},
 		}},
+		PromptValuesSupported: []string{"none", "login", "consent", "select_account", "create"},
 	})
 }
 

oauth2/handler_test.go

@@ -365,6 +365,7 @@ func TestHandlerWellKnown(t *testing.T) {
 
 		var wellKnownResp hydra.OidcConfiguration
 		err = json.NewDecoder(res.Body).Decode(&wellKnownResp)
+		fmt.Printf("%#v", wellKnownResp)
 		require.NoError(t, err, "problem decoding wellknown json response: %+v", err)
 		snapshotx.SnapshotT(t, wellKnownResp)
 	})

oauth2/oauth2_auth_code_test.go

@@ -648,6 +648,27 @@ func TestAuthCodeWithDefaultStrategy(t *testing.T) {
 
 		assertIDToken(t, token, conf, subject, nonce, time.Now().Add(reg.Config().GetIDTokenLifespan(ctx)))
 	})
+	t.Run("case=perform flow with prompt=create", func(t *testing.T) {
+		c, conf := newOAuth2Client(t, reg, testhelpers.NewCallbackURL(t, "callback", testhelpers.HTTPServerNotImplementedHandler))
+
+		regUI := httptest.NewServer(acceptLoginHandler(t, c, subject, nil))
+		t.Cleanup(regUI.Close)
+		reg.Config().MustSet(ctx, config.KeyRegistrationURL, regUI.URL)
+
+		testhelpers.NewLoginConsentUI(t, reg.Config(),
+			nil,
+			acceptConsentHandler(t, c, subject, nil))
+
+		code, _ := getAuthorizeCode(t, conf, nil,
+			oauth2.SetAuthURLParam("prompt", "create"),
+			oauth2.SetAuthURLParam("nonce", nonce))
+		require.NotEmpty(t, code)
+
+		token, err := conf.Exchange(context.Background(), code)
+		require.NoError(t, err)
+
+		assertIDToken(t, token, conf, subject, nonce, time.Now().Add(reg.Config().GetIDTokenLifespan(ctx)))
+	})
 
 	t.Run("case=perform flow with audience", func(t *testing.T) {
 		expectAud := "https://api.ory.sh/"

spec/config.json

@@ -778,7 +778,7 @@
         },
         "registration": {
           "type": "string",
-          "description": "Sets the OAuth2 Registration Endpoint URL of the OAuth2 User Login & Consent flow. Defaults to the same value as `login`. The registration URL is used if the authorization request was started with the `prompt=registration` parameter.",
+          "description": "Sets the OAuth2 Registration Endpoint URL of the OAuth2 User Login & Consent flow. Defaults to the same value as `login`. The registration URL is used if the authorization request was started with the `prompt=registration` or `prompt=create` parameter.",
           "format": "uri-reference",
           "examples": [
             "https://my-login.app/registration",