FEATURE: Allow parameters to be passed from /auth/oidc to the IDP

The most common use case is when you want the IDP to start with a specific screen (e.g. signup, rather than sign in). This change has no effect by default, you must add the parameter names to the openid_connect_authorize_parameters site setting.

config/locales/server.en.yml

@@ -8,4 +8,5 @@ en:
     openid_connect_token_scope: "The scopes sent when requesting the token endpoint. The official specification does not require this."
     openid_connect_error_redirects: "If the callback error_reason contains the first parameter, the user will be redirected to the URL in the second parameter"
     openid_connect_allow_association_change: "Allow users to disconnect and reconnect their Discourse accounts from the OpenID Connect provider"
-    openid_connect_verbose_logging: "Log detailed openid-connect authentication information to `/logs`. Keep this disabled during normal use."
+    openid_connect_verbose_logging: "Log detailed openid-connect authentication information to `/logs`. Keep this disabled during normal use."
+    openid_connect_authorize_parameters: "URL parameters which will be included in the redirect from /auth/oidc to the IDP's authorize endpoint"

config/settings.yml

@@ -19,3 +19,7 @@ plugins:
     default: ''
     type: list
     list_type: secret
+  openid_connect_authorize_parameters:
+    default: ''
+    type: list
+    list_type: compact

lib/openid_connect_authenticator.rb

@@ -50,7 +50,8 @@ class OpenIDConnectAuthenticator < Auth::ManagedAuthenticator
           scope: SiteSetting.openid_connect_authorize_scope,
           token_params: {
             scope: SiteSetting.openid_connect_token_scope,
-          }
+          },
+          passthrough_authorize_options: SiteSetting.openid_connect_authorize_parameters.split("|")
         )
       }
   end