IDSite login does not persist the ?next parameter

Question

IDSite login does not persist the ?next parameter

andrewmarcus opened this issue 8 years ago · 3 comments

app.use(stormpath.init({
	web: {
		login: {
			enabled: true
		},
		idSite: {
			enabled: true,
			uri: '/idSiteResult',
			nextUri: '/'
		}
	}
}));

app.route('/my/route').get(stormpath.loginRequired, controller.myRouteController);

Use case:

User accesses /my/route in a browser.
If the user is already logged in, the route will invoke the route controller.
If the user is not logged in, the middleware will redirect to /login?next=%2Fmy%2Froute.
The /login endpoint will use the id-site-redirect controller in express-stormpath, which does not look at req.query.next when assembling the JWT.
The user will be redirect to the ID Site, and upon successful login, to /idSiteResult.
Since the ?next=%2Fmy%2Froute parameter was not included in the ID Site request, the user will be redirected to the default nextUri, /, rather than to /my/route.

Answer 1 · 2017-01-03T19:11:52.000Z

Potential solution:

If the ID Site ignores request parameters when determining whether a valid AuthorizedCallbackURI was specified, then it should be possible to update line 19 of lib/controllers/id-site-redirect.js from:

    var cbUri = req.protocol + '://' + getHost(req) + config.web.idSite.uri;

to

    var cbUri = req.protocol + '://' + getHost(req) + config.web.idSite.uri + (req.query.next ? '?next=' + req.query.next : '');

Otherwise, the nextUri will probably need to be added as a property within the JWT.

Answer 2 · 2017-01-06T17:53:26.000Z

Hi @andrewmarcus, thanks for the post! We're aware of this issue and looking into it.

Answer 3 · 2017-01-06T18:17:51.000Z

Thanks @mdeggies. As a followup, this same issue appears to be the case for logout as well.