How to redirect user to original URL after login callback?

[zam6ak]

Hi
I am using openid-client v6 with Express.js v4 and Passport.js.
I would like to redirect the user to original URL user tried to navigate to after they log in (after callback is done).

sample code

app.get(
  "/login",
  ensureLoggedOut("/logout"),
  passport.authenticate(server.hostname),
);


app.get(
  "/callback",
  ensureLoggedOut("/logout"),
  passport.authenticate(server.hostname),
  (req, res) => {
    // TODO: get original "destination" URL from state and if it exists redirect there, if not then to Home
    res.redirect("/home");
  }
);

Since the callback only gets the state this seems to be one way to achieve this.
During /login add original referer to state and procced with IdP call, then when IdP initiates callback retrieve it and redirect

• Is is possible to customize state generation during /login and its retrieval during /callback ?
• If not, is there any other way to accomplish this with openid-client?

Thanks
Z

[panva]

Hello @zam6ak,

that question is better directed at passport.

[panva]

You're looking for a strategy-based solution when in fact you should look for a passport-level solution is what I mean.

e.g. store your returnTo in req.session and then use passport's successRedirect option.

[zam6ak]

You're looking for a strategy-based solution when in fact you should look for a passport-level solution is what I mean.

What I am really looking for is to be able to specify function that will generate state instead of client.randomState() that is used by default in the provided Strategy right now.

e.g. store your returnTo in req.session and then use passport's successRedirect option.

Ok. I will try this approach.

[panva]

You're looking for a strategy-based solution when in fact you should look for a passport-level solution is what I mean.

What I am really looking for is to be able to specify function that will generate state instead of client.randomState() that is used by default in the provided Strategy right now.

That's intentionally not possible on the account of most developers shooting themselves in the foot with it.

[zam6ak]

That's intentionally not possible on the account of most developers shooting themselves in the foot with it.

This is great default - the lib should definitely provide this level of protection by default.
But it should be extensible IMO.

If you check other OP implementations, they do point security aspects but also note that state carries other app specific data
For example:
MS Entra
https://learn.microsoft.com/en-us/entra/identity-platform/v2-protocols-oidc#send-the-sign-in-request

The state also is used to encode information about the user's state in the app before the authentication request occurred, such as the page or view the user was on.

Another example:
Auth0
https://auth0.com/docs/secure/attack-protection/state-parameters#redirect-users

You can use the state parameter to encode an application state that will put the user where they were before the authentication process started. For example, if a user intends to access a protected page in your application, and that action triggers the request to authenticate, you can store that URL to redirect the user back to their intended page after the authentication finishes.

The library should provide sensible and secure default implementation (which is done, this a very well implemented OIDC client library), but it should also be flexible to extend/override for advance uses.

---

Back to my original issue, after upgrading Passport, I was able to change callback to make use of request.session.returnTo
This seems to work when using newer Passport versions:

app.get(
  "/callback",
  ensureLoggedOut("/logout"),
  (req, res, next) => {
    //console.log(`${req.path} | req.session.returnTo: ${req.session?.returnTo}`);
    passport.authenticate(server.hostname, {
      successRedirect: req.session?.returnTo || "/protected"
    })(req, res, next);
  }
);

Thank you for the suggestion!
Z

[dennemark]

Hi, can you elaborate a bit on how you have set the session? i am using fastify/secure-session not sure if mine would work similar to yours. but i guess it would have similar logic.

 fastify.get(
      `/connect`,
      function (request, reply) {
        if(request.query.redirectTo){
          request.session.returnTo = request.query.redirectTo
          return reply.redirect('/callback') // callback without redirectTo, since otherwise oidc provider complains
        }
        return fastify.passport.authenticate(server.hostname)(request,reply)
      }
      )

with this code my session will return undefined if i try to call it in the callback as you did.