OAuth 2: redirecting a user to the original URL after login
In the OAuth 2 server I developed for the Humanitarian ID v2 project, some client applications asked me if it was possible to redirect the user after login to their originating URL. It turns out that this the responsibility of the client application. Here is how to do it.
For example, if the user is browsing your site on https://somesite.com/page1 and clicks on the “Login” button, the user is browsing away from your site, following the OAuth 2 procedure to login on a remote server. When the login procedure is successful, the user is redirected back to your site, using the redirect_uri that was configured, for example https://somesite.com/my_redirect_url. However, once your user lands back on your site, how do you redirect him back to its originating URL, in this case https://somesite.com/page1 ?
It took me a bit of time to find out, but this article actually shed some light on this issue. The answer is in the “state” parameter.
A correctly implemented OAuth 2 server will replay the state parameter unmodified back to the client when the user is redirected to the redirect URL. Therefore, the solution is to store the originating URL in this state parameter, send it to the OAuth 2 server, and on the way back, decrypt it to redirect the user to his initial page.
Originally published at https://www.gvj-web.com on August 10, 2017.
