From the SAML 2.0 Core spec.
IsPassive [Optional] A Boolean value. If "true", the identity provider and the user agent itself MUST NOT visibly take control of the user interface from the requester and interact with the presenter in a noticeable fashion. If a value is not provided, the default is "false".
It is envisaged that a Liferay OAuth2 provider connected to a SAML IDP for user authentication when handling an Authorization Code grant, could use this parameter. It would guarantee that the OAuth 2 client will get a machine readable success/error response.
If at the same time we would introduce a similar parameter for the OAuth 2 code grant flow itself, to prevent a prompt (i.e. HTML response) for user authorization, the entire flow could complete in a non-interactive fashion. Just as a series of HTTP redirects, resulting in a final response containing the OAuth 2 authorization code.
- This proposal assumes the use/support of the SAML redirect binding.
- The client app uses the same IDP for user authentication (but it could use a different SSO protocol than SAML, that better suits the clients capabilities. Possibly OpenIdConnect, though Liferay is currently not a OIDC provider).
- The non-interactive OAuth 2 Authorization Code Grant flow must have sufficient CSRF protection
Please, see comment bellow with a first analysis approach