From 9d137326e01ff214bf94713e8a9f8d84525af2a3 Mon Sep 17 00:00:00 2001
From: tiran133 <tiran133@gmail.com>
Date: Wed, 24 Jun 2026 08:48:16 +1000
Subject: [PATCH] Support OIDC registration prompt

Allow the OpenID Connect login endpoint to receive a register flag and
carry that intent through the OIDC credentials object. When registration
is requested, send prompt=create to the provider instead of the regular
forced login prompt.

This lets ILIAS initiate the OIDC request itself, preserving state
handling while delegating account registration to the identity provider.
---
 ...class.ilAuthFrontendCredentialsOpenIdConnect.php | 13 +++++++++++++
 .../classes/class.ilAuthProviderOpenIdConnect.php   |  9 ++++++++-
 2 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/components/ILIAS/OpenIdConnect/classes/class.ilAuthFrontendCredentialsOpenIdConnect.php b/components/ILIAS/OpenIdConnect/classes/class.ilAuthFrontendCredentialsOpenIdConnect.php
index d3a2b41cbeb2..8a70c0a7b9d2 100755
--- a/components/ILIAS/OpenIdConnect/classes/class.ilAuthFrontendCredentialsOpenIdConnect.php
+++ b/components/ILIAS/OpenIdConnect/classes/class.ilAuthFrontendCredentialsOpenIdConnect.php
@@ -22,9 +22,11 @@ class ilAuthFrontendCredentialsOpenIdConnect extends ilAuthFrontendCredentials
 {
     private const SESSION_TARGET = 'oidc_target';
     private const QUERY_PARAM_TARGET = 'target';
+    private const QUERY_PARAM_REGISTER = 'register';
 
     private readonly ilOpenIdConnectSettings $settings;
     private ?string $target = null;
+    private bool $registration_requested = false;
 
     public function __construct()
     {
@@ -37,6 +39,12 @@ public function __construct()
         if ($httpquery->has(self::QUERY_PARAM_TARGET)) {
             $this->target = $httpquery->retrieve(self::QUERY_PARAM_TARGET, $DIC->refinery()->to()->string());
         }
+        if ($httpquery->has(self::QUERY_PARAM_REGISTER)) {
+            $this->registration_requested = $httpquery->retrieve(
+                self::QUERY_PARAM_REGISTER,
+                $DIC->refinery()->kindlyTo()->bool()
+            );
+        }
     }
 
     protected function getSettings(): ilOpenIdConnectSettings
@@ -49,6 +57,11 @@ public function getRedirectionTarget(): ?string
         return $this->target;
     }
 
+    public function isRegistrationRequested(): bool
+    {
+        return $this->registration_requested;
+    }
+
     public function initFromRequest(): void
     {
         $this->setUsername('');
diff --git a/components/ILIAS/OpenIdConnect/classes/class.ilAuthProviderOpenIdConnect.php b/components/ILIAS/OpenIdConnect/classes/class.ilAuthProviderOpenIdConnect.php
index 59400714c05f..8a80ee4e0b0c 100755
--- a/components/ILIAS/OpenIdConnect/classes/class.ilAuthProviderOpenIdConnect.php
+++ b/components/ILIAS/OpenIdConnect/classes/class.ilAuthProviderOpenIdConnect.php
@@ -95,7 +95,14 @@ public function doAuthentication(ilAuthStatus $status): bool
             );
 
             $oidc->addScope($this->settings->getAllScopes());
-            if ($this->settings->getLoginPromptType() === ilOpenIdConnectSettings::LOGIN_ENFORCE) {
+
+            $credentials = $this->getCredentials();
+            if (
+                $credentials instanceof ilAuthFrontendCredentialsOpenIdConnect &&
+                $credentials->isRegistrationRequested()
+            ) {
+                $oidc->addAuthParam(['prompt' => 'create']);
+            } elseif ($this->settings->getLoginPromptType() === ilOpenIdConnectSettings::LOGIN_ENFORCE) {
                 $oidc->addAuthParam(['prompt' => 'login']);
             }