getOidcCallbackUrl() includes ephemeral query params in redirect_uri, breaking OIDC login

[azmeuk]

Steps to reproduce

I am testing to plug synapse and an element-web instance to MAS. Element-web is configured to redirect automatically non-logged users to the IDP:

    "sso_redirect_options": {
	        "immediate": true
    },

When I update Element-web, it reloads and add a updated=X.Y.Z query string parameter in the URL.

The redirect_uri configured at the IDP is https://element.example.com/?no_universal_links=true.

Outcome

Because of the update, element-web use https://element.example.com/?updated=X.Y.Z&no_universal_links=true as the redirect_uri value in the OIDC request.

This leads the IDP to refuse the authorization code request and display a redirect_uri is not allowed for this client error message.

I suppose this is due to this method building the redirect_uri by using the window.location.href without removing the updated parameter.

element-web/apps/web/src/BasePlatform.ts

Lines 468 to 475 in b2c19d4

	public getOidcCallbackUrl(): URL {
	const url = new URL(window.location.href);
	// The redirect URL has to exactly match that registered at the OIDC server, so
	// ensure that the fragment part of the URL is empty.
	url.hash = "";
	// Set no_universal_links=true to prevent the callback being handled by Element X installed on macOS Apple Silicon
	url.searchParams.set("no_universal_links", "true");
	return url;

Operating system

Arch Linux

Browser information

Mozilla Firefox 148.0.2

URL for webapp

Element Web 1.12.12

Application version

No response

Homeserver

synapse 1.139.0, MAS 1.13

Will you send logs?

Yes