Redirection on register only redirects me to solid server

Question

Redirection on register only redirects me to solid server

Closed this issue 6 years ago · 8 comments

On my app I use the .login from OIDCWebClient or solid-auth-client (tried with both)
Then I click on "register" and on success, I expected to be redirected back on my app, but instead I get redirected on the Databrowser on the solid Server.

How can I be redirected back to my app on register success ?

Answer 1 · 2018-10-11T15:02:33.000Z

I fixed this with a simple function adding the redirect_uri from the id token in the request parameter to the returnToUrl variable used for redirection on register success

  /**
   * Extracts the redirect_uri from the base 64 encoded id_token
   * in the `request` parameter in the URL
   * @param {string} encodedToken Base 64 encoded token
   * @return {string|null} redirect_uri
   */
  static extractRedirectUri (encodedToken) {
    if (!encodedToken) {
      return null
    }

    let decoded = jwtDecode(encodedToken)
    if (decoded.redirect_uri) {
      return decoded.redirect_uri
    }

    return null
  }

But it requires a package called jwtDecode as I didn't find the redirect_uri with an other method than this...

Answer 2 · 2018-10-11T20:44:28.000Z

Hmm, this is interesting; could this be interesting to add as a PR? @dmitrizagidulin @RubenVerborgh

Answer 3 · 2018-10-11T21:00:29.000Z

@megoth so basically, we need to apply the same mechanism for redirect uri as we do for login. When the redirect code was refactored to be client side (in data browser), the register workflow was left out, so we need to add it. (I don't think this PR is the right approach for it, though.)

(Oh, also, don't forget that now the code was changed to not log the person in after registering, so that could also be problematic.)

Answer 4 · 2018-11-14T12:41:42.000Z

I think I need some more info on how these workflows work ATM before I can fix this.

As far as I can tell:

The returnToUrl needs to be supplied somehow so it can be set here: https://github.com/solid/node-solid-server/blob/master/lib/requests/create-account-request.js#L29
If not supplied, a default is set, likely the data browser... https://github.com/solid/node-solid-server/blob/master/lib/requests/create-account-request.js#L311

So taken in account users are not automatically logged in, should it not redirect to the login page then?

Answer 5 · 2018-11-14T13:30:18.000Z

This might be a solid-auth-client issue instead. Note however that .popupLogin is preferred over .login, precisely because it doesn't loose context (which encompasses more than just URL).

Answer 6 · 2018-11-15T20:11:38.000Z

When working with redirects-after-login I always wonder, whether the ?next= (or whatever you call it) is whitelisted. That is, could I do something like /login?next=http://my.evil.website?

For whitelisting I'd consider pointing to the same host (if it starts with a protocol) or look up whether the path is known (in case it starts with a slash). Otherwise ignore it and send the user to /.

Answer 7 · 2018-11-30T15:56:37.000Z

I don't think it is essential for the user to be automatically logged in post-registration, but crucial that we be able to return the user back to what they were doing when they initiated the registration flow.

Answer 8 · 2018-12-01T13:49:09.000Z

I also encountered this problem. Has this problem been solved?