Redirect users to their intended resource after session expiry re-authentication

[keonramses]

Summary

When a user's session exceeds the maximum session length and they attempt to access a resource, they are correctly prompted to re-authenticate. However, after successful re-authentication, users are redirected to the Pangolin dashboard instead of being routed to the resource they were originally trying to access. This requires users to manually navigate back to their intended destination either by re-entering the URL or selecting it from the available resources list.

Motivation

This creates unnecessary friction in the user experience and interrupts workflow. When users are working with specific resources and their session expires, they expect to be returned to their work after re-authenticating, not to a landing page.
Use case this would solve:

• A user is working on a specific resource/application
• Their session expires after the configured maximum session length (e.g., 12 hours)
• They attempt to access the resource again
• After re-authentication, they should be seamlessly returned to the resource they were trying to access

This pattern is standard in most authentication systems and aligns with user expectations for session management.

Proposed Solution

Implement a redirect mechanism that preserves the originally requested URL through the authentication flow:

1. When an unauthenticated/expired session user attempts to access a protected resource, capture the requested URL
2. Store this URL (e.g., in session storage, as a query parameter, or in the authentication state)
3. After successful re-authentication, redirect the user to the originally requested URL instead of the default Pangolin dashboard
4. If no specific resource was requested (user went directly to login), default to the current behavior of showing the Pangolin dashboard (current behavior)

Implementation details:

• Consider using a redirect_uri or return_to parameter in the authentication flow
• Ensure proper validation of the redirect URL to prevent open redirect vulnerabilities
• Handle edge cases where the originally requested resource may no longer be available or accessible

Alternatives Considered

• Manual navigation: Current behavior - users must manually re-enter the URL or select from a list. This is the workaround but creates poor UX.
• Browser back button: Users could theoretically use the back button, but this is unreliable and again creates poor UX.

Additional Context

No response