made prompt pluralizable to comply with spec, closes #519

openid-connect-server/src/main/java/org/mitre/oauth2/web/OAuthConfirmationController.java

@@ -45,6 +45,8 @@ import org.springframework.web.bind.annotation.ModelAttribute;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.SessionAttributes;
 
+import com.google.common.base.Splitter;
+import com.google.common.base.Strings;
 import com.google.common.collect.ArrayListMultimap;
 import com.google.common.collect.HashMultimap;
 import com.google.common.collect.Multimap;
@@ -90,7 +92,8 @@ public class OAuthConfirmationController {
 		// Check the "prompt" parameter to see if we need to do special processing
 
 		String prompt = (String)clientAuth.getExtensions().get("prompt");
-		if ("none".equals(prompt)) {
+		List<String> prompts = Splitter.on(" ").splitToList(Strings.nullToEmpty(prompt));
+		if (prompts.contains("none")) {
 			// we're not supposed to prompt, so "return an error"
 			logger.info("Client requested no prompt, returning 403 from confirmation endpoint");
 			model.put("code", HttpStatus.FORBIDDEN);

openid-connect-server/src/main/java/org/mitre/openid/connect/filter/PromptFilter.java

@@ -22,6 +22,7 @@ package org.mitre.openid.connect.filter;
 import java.io.IOException;
 import java.util.Date;
 import java.util.HashMap;
+import java.util.List;
 import java.util.Map;
 
 import javax.servlet.FilterChain;
@@ -43,6 +44,9 @@ import org.springframework.security.oauth2.provider.OAuth2RequestFactory;
 import org.springframework.stereotype.Component;
 import org.springframework.web.filter.GenericFilterBean;
 
+import com.google.common.base.Splitter;
+import com.google.common.base.Strings;
+
 /**
  * @author jricher
  *
@@ -72,8 +76,9 @@ public class PromptFilter extends GenericFilterBean {
 		if (authRequest.getExtensions().get("prompt") != null) {
 			// we have a "prompt" parameter
 			String prompt = (String)authRequest.getExtensions().get("prompt");
+			List<String> prompts = Splitter.on(" ").splitToList(Strings.nullToEmpty(prompt));
 
-			if (prompt.equals("none")) {
+			if (prompts.contains("none")) {
 				logger.info("Client requested no prompt");
 				// see if the user's logged in
 				Authentication auth = SecurityContextHolder.getContext().getAuthentication();
@@ -88,7 +93,7 @@ public class PromptFilter extends GenericFilterBean {
 					response.sendError(HttpServletResponse.SC_FORBIDDEN, "Access Denied");
 					return;
 				}
-			} else if (prompt.equals("login")) {
+			} else if (prompts.contains("login")) {
 
 				// first see if the user's already been prompted in this session
 				HttpSession session = request.getSession();

openid-connect-server/src/main/java/org/mitre/openid/connect/token/TofuUserApprovalHandler.java

@@ -19,6 +19,7 @@ package org.mitre.openid.connect.token;
 import java.util.Calendar;
 import java.util.Collection;
 import java.util.Date;
+import java.util.List;
 import java.util.Map;
 import java.util.Set;
 
@@ -41,6 +42,7 @@ import org.springframework.stereotype.Component;
 import org.springframework.web.context.request.RequestContextHolder;
 import org.springframework.web.context.request.ServletRequestAttributes;
 
+import com.google.common.base.Splitter;
 import com.google.common.base.Strings;
 import com.google.common.collect.Sets;
 
@@ -127,7 +129,8 @@ public class TofuUserApprovalHandler implements UserApprovalHandler {
 
 		// find out if we're supposed to force a prompt on the user or not
 		String prompt = (String) authorizationRequest.getExtensions().get("prompt");
-		if (!"consent".equals(prompt)) {
+		List<String> prompts = Splitter.on(" ").splitToList(Strings.nullToEmpty(prompt));
+		if (!prompts.contains("consent")) {
 			// if the prompt parameter is set to "consent" then we can't use approved sites or whitelisted sites
 			// otherwise, we need to check them below