Update OIDC login action flow

Update logic to protect authenticate() if the user is not authenticated, and is redirected back to oidc/login. Add logic to support redirecting the user back to their requested page when authentication succeeds.
KostelidisDev · Mar 5, 2024 · 6b0f127 · 6b0f127
1 parent 4884503
commit 6b0f127
Showing 1 changed file with 16 additions and 3 deletions.
diff --git a/plugins/arOidcPlugin/modules/oidc/actions/loginAction.class.php b/plugins/arOidcPlugin/modules/oidc/actions/loginAction.class.php
@@ -27,12 +27,25 @@ public function execute($request)
             $this->redirect('@homepage');
         }
 
-        $this->getUser()->authenticate();
+        // Save referring page URL. The request will be oidc/login but the referrer will be @homepage, or
+        // user/list (for example) if the user was attempting to access a secure resource. When redirected
+        // back from the OIDC endpoint, the referrer will be empty.
+        if ($request->isMethod('post') && !empty($request->getReferer())) {
+            $this->context->user->setAttribute('atom-login-referrer', $request->getReferer());
+        }
+
+        if ($request->isMethod('post') || isset($_REQUEST['code'])) {
+            $this->getUser()->authenticate();
+        }
 
         // Redirect to module/action the user was trying to reach before being redirected
         // to the OIDC IAM system for authentication. We prefer a redirect to a forward so that the ticket
         // parameter is not accidentally exposed in the user's browser.
-        $redirectUrl = $request->getParameter('module').'/'.$request->getParameter('action');
-        $this->redirect($redirectUrl);
+        if (null !== $redirectUrl = $this->context->user->getAttribute('atom-login-referrer', null)) {
+            $this->context->user->setAttribute('atom-login-referrer', null);
+            $this->redirect($redirectUrl);
+        }
+
+        $this->redirect('@homepage');
     }
 }