IDSite login does not persist the ?next parameter
andrewmarcus opened this issue · 3 comments
andrewmarcus commented
app.use(stormpath.init({
web: {
login: {
enabled: true
},
idSite: {
enabled: true,
uri: '/idSiteResult',
nextUri: '/'
}
}
}));
app.route('/my/route').get(stormpath.loginRequired, controller.myRouteController);
Use case:
- User accesses
/my/route
in a browser. - If the user is already logged in, the route will invoke the route controller.
- If the user is not logged in, the middleware will redirect to
/login?next=%2Fmy%2Froute
. - The
/login
endpoint will use theid-site-redirect
controller in express-stormpath, which does not look atreq.query.next
when assembling the JWT. - The user will be redirect to the ID Site, and upon successful login, to
/idSiteResult
. - Since the
?next=%2Fmy%2Froute
parameter was not included in the ID Site request, the user will be redirected to the default nextUri,/
, rather than to/my/route
.
andrewmarcus commented
Potential solution:
If the ID Site ignores request parameters when determining whether a valid AuthorizedCallbackURI was specified, then it should be possible to update line 19 of lib/controllers/id-site-redirect.js
from:
var cbUri = req.protocol + '://' + getHost(req) + config.web.idSite.uri;
to
var cbUri = req.protocol + '://' + getHost(req) + config.web.idSite.uri + (req.query.next ? '?next=' + req.query.next : '');
Otherwise, the nextUri will probably need to be added as a property within the JWT.
mdeggies commented
Hi @andrewmarcus, thanks for the post! We're aware of this issue and looking into it.
andrewmarcus commented
Thanks @mdeggies. As a followup, this same issue appears to be the case for logout as well.