From f6105f079d6018a56b1fc72509ab787f00bf675d Mon Sep 17 00:00:00 2001
From: Chris <wtc.justin82@gmail.com>
Date: Tue, 31 Mar 2026 23:43:57 +0800
Subject: [PATCH] fix(login): switch frontend account login to oidc flow

---
 app/api/auth.py | 28 +++++++++++++++++-----------
 1 file changed, 17 insertions(+), 11 deletions(-)

diff --git a/app/api/auth.py b/app/api/auth.py
index d930c5a..01cc25c 100644
--- a/app/api/auth.py
+++ b/app/api/auth.py
@@ -112,7 +112,11 @@ def login(payload: LoginRequest) -> LoginResponse:
 
 
 @router.get("/oidc/url", response_model=OIDCAuthUrlResponse)
-def get_oidc_authorize_url(redirect_uri: str) -> OIDCAuthUrlResponse:
+def get_oidc_authorize_url(
+    redirect_uri: str,
+    login_hint: str | None = None,
+    prompt: str = "login",
+) -> OIDCAuthUrlResponse:
     settings = get_settings()
     client_id = settings.authentik_client_id or settings.authentik_audience
     if not settings.authentik_base_url or not client_id:
@@ -120,16 +124,18 @@ def get_oidc_authorize_url(redirect_uri: str) -> OIDCAuthUrlResponse:
 
     authorize_endpoint = urljoin(settings.authentik_base_url.rstrip("/") + "/", "application/o/authorize/")
     state = secrets.token_urlsafe(24)
-    params = httpx.QueryParams(
-        {
-            "client_id": client_id,
-            "response_type": "code",
-            "scope": "openid profile email",
-            "redirect_uri": redirect_uri,
-            "state": state,
-            "prompt": "login",
-        }
-    )
+    query = {
+        "client_id": client_id,
+        "response_type": "code",
+        "scope": "openid profile email",
+        "redirect_uri": redirect_uri,
+        "state": state,
+        "prompt": prompt or "login",
+    }
+    if login_hint:
+        query["login_hint"] = login_hint
+
+    params = httpx.QueryParams(query)
     return OIDCAuthUrlResponse(authorize_url=f"{authorize_endpoint}?{params}")