Hi,

I’m integrating Drupal OpenID Connect with a provider (Pro Santé connect) that does not support the email scope and requires additional authorization parameters (nonce, acr_values).

Currently, email is added by default in the base client and there doesn’t seem to be a hook or extension point to:

  • remove email from the authorization request
  • add custom authorization parameters

For testing purposes, I patched OpenIDConnectClientBase to:

  • remove the email scope
  • add nonce and acr_values to the authorization URL

This works correctly.

Before going further, I’d like to know the recommended approach:

  • Is there an existing hook to alter scopes / authorization parameters?
  • Or is the intended solution to implement a full custom client plugin?

A custom plugin is possible, but in my case the provider is slow to update registered redirect URLs, so changing the client/plugin has a real impact.

Comments

sébastien-fr created an issue.