Pre-fill OIDC login form... #4049
Description
Why ?
See #2317
GIVEN I am on mobile (I need to resolve the JMAP server)
THEN the mobile app prompt for mail address
AND use SRV records to locate the JMAP server
AND discover the OpenID configuration with webfinger
AND redirects to the SSO
On the SSO login page, the user is prompted again for login and password.
So the user has to input his login twice (!)
Note that for web we can preconfigure the endpoint and the sso configuration in order to skip webfinger/srv records. On web we can just blindly redirect to the SSO so we do not need to cary over the login information to the SSO.
How?
If available the mobile application can pass to the SSO the mail address as a parameter.
Apparently we could use the registration parameter that allows to pass a free form JSON to that end:
Example:
HTTP/1.1 302 Found
Location: openid://?
response_type=id_token
&client_id=https%3A%2F%2Fclient.example.org%2Fcb
&scope=openid%20profile
&state=af0ifjsldkj
&nonce=n-0S6_WzA2Mj
®istration=%7B%22mailaddress%22%3A%22bob%40domain.tld%22%7D
(url decoded {"mailaddress":"[email protected]"} )
Then a LemonLDAP plugin could capture this and prefill the login field, potentially applying a pre-configured (on lemon side) normalization step - for instance keep the local part.
Caracteristic:
- Downgrade friendly: if the SSO do not understand this parameter then it would skip it and let the user input his name a second time...