Filter for prompt handling

app/controllers/api/openid_connect/authorizations_controller.rb

@@ -6,7 +6,7 @@ module Api
         render json: {error: e.message || :error, status: e.status}
       end
 
-      before_action :authenticate_user!
+      before_action :auth_user_unless_prompt_none!
 
       def new
         auth = Api::OpenidConnect::Authorization.find_by_client_id_and_user(params[:client_id], current_user)
@@ -201,6 +201,17 @@ module Api
         redirect_fragment = redirect_params_hash.compact.map {|key, value| key.to_s + "=" + value }.join("&")
         redirect_to params[:redirect_uri] + "?" + redirect_fragment
       end
+
+      private
+
+      def auth_user_unless_prompt_none!
+        if params[:prompt] == "none" && !user_signed_in?
+          render json: {error: "login_required",
+                        description: "User must be first logged in when `prompt` is `none`"}
+        else
+          authenticate_user!
+        end
+      end
     end
   end
 end

spec/controllers/api/openid_connect/authorizations_controller_spec.rb

@@ -95,6 +95,19 @@ describe Api::OpenidConnect::AuthorizationsController, type: :controller do
         end
       end
 
+      context "when prompt is none and user not signed in" do
+        before do
+          sign_out :user
+        end
+
+        it "should return an interaction required error" do
+          post :new, client_id: client.client_id, redirect_uri: "http://localhost:3000/",
+               response_type: "id_token", scope: "openid", state: 1234, display: "page", prompt: "none"
+          json_body = JSON.parse(response.body)
+          expect(json_body["error"]).to match("login_required")
+        end
+      end
+
       context "when prompt is none and consent" do
         it "should return an interaction required error" do
           post :new, client_id: client.client_id, redirect_uri: "http://localhost:3000/",