1 files changed, 40 insertions, 0 deletions

diff --git a/internal/oidc/util.go b/internal/oidc/util.go
index 26382dce0..3b3b22d12 100644
--- a/internal/oidc/util.go
+++ b/internal/oidc/util.go
@@ -6,6 +6,7 @@ import (
 	"net/http"
 	"net/url"
 	"sort"
+	"strconv"
 	"strings"
 	"time"
 
@@ -368,6 +369,45 @@ func IsMaybeSignedJWT(value string) (is bool) {
 	return strings.Count(value, ".") == 2
 }
 
+// RequesterRequiresLogin returns true if the oauthelia2.Requester requires the user to authenticate again.
+func RequesterRequiresLogin(requester oauthelia2.Requester, requested, authenticated time.Time) (required bool) {
+	if requester == nil {
+		return false
+	}
+
+	if _, ok := requester.(oauthelia2.DeviceAuthorizeRequester); ok {
+		return false
+	}
+
+	return RequestFormRequiresLogin(requester.GetRequestForm(), requested, authenticated)
+}
+
+// RequestFormRequiresLogin returns true if the form requires the user to authenticate again.
+func RequestFormRequiresLogin(form url.Values, requested, authenticated time.Time) (required bool) {
+	if form.Has(FormParameterPrompt) {
+		if oauthelia2.Arguments(oauthelia2.RemoveEmpty(strings.Split(form.Get(FormParameterPrompt), " "))).Has(PromptLogin) && authenticated.Before(requested) {
+			return true
+		}
+	}
+
+	if form.Has(FormParameterMaximumAge) {
+		value := form.Get(FormParameterMaximumAge)
+
+		var (
+			age int64
+			err error
+		)
+
+		if age, err = strconv.ParseInt(value, 10, 64); err != nil {
+			age = 0
+		}
+
+		return age == 0 || authenticated.IsZero() || requested.IsZero() || authenticated.Add(time.Duration(age)*time.Second).Before(requested)
+	}
+
+	return false
+}
+
 func ValidateSectorIdentifierURI(ctx ClientContext, cache map[string][]string, sectorURI *url.URL, redirectURIs []string) (err error) {
 	var (
 		sectorRedirectURIs []string