OIDC, Redirect URL and wildcard

Question

I believe the 3.1.2.1. Authentication Request section of the specification says that we cannot, but I find it so unbelievable that I thought I would double check by asking here.

Is there a way to redirect my users to any URL of my domain name after they successfully logged in via the OIDC provider ?

My use case would be :

1. A user access my app and wanders around
2. She finds some interesting stuff to do and want to interact, for example, to comment a post she found interesting
3. The app invites her to login and she gets redirected to the OIDC provider

As I can't know in advance the URL my user will be visiting on step 3, I would like her to be redirected there, whatever that URL might be.

Is this doable ? Do I understand correctly that the spec says it is not ? If the spec does say no, do you know any workaround that would allow this user experience ?

Answer 1

You can use the state parameter to achieve that without any deviation from the specification.

The state parameter is associated to the page/action to perform on client side.

1. A user access my app and wanders around
2. She finds some interesting stuff to do and want to interact, for example, to comment a post she found interesting
3. The app generates a state value and associate that value with the interaction to perform
4. The app invites her to login and she gets redirected to the OIDC provider with the state parameter in the query string
5. After consent, the user is redirected to the application callback
6. Get the state that is part of the query/fragment (depends on the response mode/type).
7. Based on the state value, redirect the user to the expected page/action.