quickcase · vlaurin · Mar 6, 2025 · Mar 6, 2025 · Mar 6, 2025
diff --git a/src/openid/not-authenticated.js b/src/openid/not-authenticated.js
@@ -26,14 +26,14 @@ export const startAuth302 = (deps) => (config) => (auth = {}) => (req, res) => {
     disableNonce,
     loginHint,
     maxAge,
-    prompt,
     scope,
   } = config;
 
   const nonce = disableNonce ? undefined : nonceGenerator();
   const state = stateGenerator();
 
   const authorizationUrl = authorizationUrlSupplier({
+    id_token_hint: req.session?.openId?.tokenSet?.id_token,
     login_hint: loginHint?.enable ? req.session.openId?.claims?.[loginHint.claim] : undefined,
     max_age: maxAge ?? undefined,
     nonce,

diff --git a/src/openid/not-authenticated.test.js b/src/openid/not-authenticated.test.js
@@ -136,6 +136,26 @@ describe('startAuth302', () => {
     return deps.authorizationUrlSupplier;
   }
 
+  test('should set `id_token_hint` when ID token available in existing session', async () => {
+    const ID_TOKEN = 'xxx.yyy.zzz';
+
+    const session = {
+      openId: {
+        tokenSet: {
+          id_token: ID_TOKEN
+        }
+      }
+    };
+    const authorizationUrlSupplier = await testAuthorizationUrl(options)()(session);
+
+    expect(authorizationUrlSupplier).toHaveBeenCalledWith({
+      id_token_hint: ID_TOKEN,
+      nonce: NONCE,
+      scope: options.scope,
+      state: STATE,
+    });
+  });
+
   test('should populate `login_hint` when enabled with claim', async () => {
     const config = {
       ...options,