Implement redirection to initial URL after SSO login (#4557)

* Add final_url on oauth2
* Add final_url to oidc
* handle final_url on frontend
---------

Co-authored-by: Patrick Ogenstad <[email protected]>

Author: bilalabbad

backend/infrahub/api/oauth2.py

@@ -31,10 +31,7 @@ def _get_redirect_url(request: Request, provider_name: str) -> str:
 
 
 @router.get("/{provider_name:str}/authorize")
-async def authorize(
-    request: Request,
-    provider_name: str,
-) -> Response:
+async def authorize(request: Request, provider_name: str, final_url: str | None = None) -> Response:
     provider = config.SETTINGS.security.get_oauth2_provider(provider=provider_name)
     client = AsyncOAuth2Client(
         client_id=provider.client_id,
@@ -43,15 +40,16 @@ async def authorize(
     )
 
     redirect_uri = _get_redirect_url(request=request, provider_name=provider_name)
+    final_url = final_url or config.SETTINGS.dev.frontend_url or str(request.base_url)
 
     authorization_uri, state = client.create_authorization_url(
-        url=provider.authorization_url, redirect_uri=redirect_uri, scope=provider.scopes
+        url=provider.authorization_url, redirect_uri=redirect_uri, scope=provider.scopes, final_url=final_url
     )
 
     service: InfrahubServices = request.app.state.service
 
     await service.cache.set(
-        key=f"security:oauth2:provider:{provider_name}:state:{state}", value=state, expires=KVTTL.TWO_HOURS
+        key=f"security:oauth2:provider:{provider_name}:state:{state}", value=final_url, expires=KVTTL.TWO_HOURS
     )
 
     if config.SETTINGS.dev.frontend_redirect_sso:
@@ -68,16 +66,16 @@ async def token(
     state: str,
     code: str,
     db: InfrahubDatabase = Depends(get_db),
-) -> models.UserToken:
+) -> models.UserTokenWithUrl:
     provider = config.SETTINGS.security.get_oauth2_provider(provider=provider_name)
 
     service: InfrahubServices = request.app.state.service
 
     cache_key = f"security:oauth2:provider:{provider_name}:state:{state}"
-    stored_state = await service.cache.get(key=cache_key)
+    stored_final_url = await service.cache.get(key=cache_key)
     await service.cache.delete(key=cache_key)
 
-    if state != stored_state:
+    if not stored_final_url:
         raise ProcessingError(message="Invalid 'state' parameter")
 
     token_data = {
@@ -109,7 +107,9 @@ async def token(
         max_age=config.SETTINGS.security.refresh_token_lifetime,
     )
 
-    return user_token
+    return models.UserTokenWithUrl(
+        access_token=user_token.access_token, refresh_token=user_token.refresh_token, final_url=stored_final_url
+    )
 
 
 def _validate_response(response: httpx.Response) -> None:

backend/infrahub/api/oidc.py

@@ -60,10 +60,7 @@ def _get_redirect_url(request: Request, provider_name: str) -> str:
 
 
 @router.get("/{provider_name:str}/authorize")
-async def authorize(
-    request: Request,
-    provider_name: str,
-) -> Response:
+async def authorize(request: Request, provider_name: str, final_url: str | None = None) -> Response:
     provider = config.SETTINGS.security.get_oidc_provider(provider=provider_name)
     service: InfrahubServices = request.app.state.service
 
@@ -78,13 +75,14 @@ async def authorize(
     )
 
     redirect_uri = _get_redirect_url(request=request, provider_name=provider_name)
+    final_url = final_url or config.SETTINGS.dev.frontend_url or str(request.base_url)
 
     authorization_uri, state = client.create_authorization_url(
         url=str(oidc_config.authorization_endpoint), redirect_uri=redirect_uri, scope=provider.scopes
     )
 
     await service.cache.set(
-        key=f"security:oidc:provider:{provider_name}:state:{state}", value=state, expires=KVTTL.TWO_HOURS
+        key=f"security:oidc:provider:{provider_name}:state:{state}", value=final_url, expires=KVTTL.TWO_HOURS
     )
 
     if config.SETTINGS.dev.frontend_redirect_sso:
@@ -101,16 +99,16 @@ async def token(
     state: str,
     code: str,
     db: InfrahubDatabase = Depends(get_db),
-) -> models.UserToken:
+) -> models.UserTokenWithUrl:
     provider = config.SETTINGS.security.get_oidc_provider(provider=provider_name)
 
     service: InfrahubServices = request.app.state.service
 
     cache_key = f"security:oidc:provider:{provider_name}:state:{state}"
-    stored_state = await service.cache.get(key=cache_key)
+    stored_final_url = await service.cache.get(key=cache_key)
     await service.cache.delete(key=cache_key)
 
-    if state != stored_state:
+    if not stored_final_url:
         raise ProcessingError(message="Invalid 'state' parameter")
 
     token_data = {
@@ -148,7 +146,9 @@ async def token(
         max_age=config.SETTINGS.security.refresh_token_lifetime,
     )
 
-    return user_token
+    return models.UserTokenWithUrl(
+        access_token=user_token.access_token, refresh_token=user_token.refresh_token, final_url=stored_final_url
+    )
 
 
 def _validate_response(response: httpx.Response) -> None:

backend/infrahub/models.py

@@ -13,6 +13,10 @@ class UserToken(BaseModel):
     refresh_token: str = Field(..., description="JWT refresh_token")
 
 
+class UserTokenWithUrl(UserToken):
+    final_url: str = Field(..., description="The final url after logged in")
+
+
 class AccessTokenResponse(BaseModel):
     access_token: str = Field(..., description="JWT access_token")
 

frontend/app/src/pages/auth-callback.tsx

@@ -1,16 +1,19 @@
 import { INFRAHUB_API_SERVER_URL } from "@/config/config";
 import { useAuth } from "@/hooks/useAuth";
+import LoadingScreen from "@/screens/loading-screen/loading-screen";
 import { configState } from "@/state/atoms/config.atom";
 import { fetchUrl } from "@/utils/fetch";
 import { useAtomValue } from "jotai";
-import { useEffect } from "react";
+import { useEffect, useState } from "react";
 import { Navigate, useParams, useSearchParams } from "react-router-dom";
 
 function AuthCallback() {
   const { protocol, provider } = useParams();
   const config = useAtomValue(configState);
   const [searchParams] = useSearchParams();
   const { isAuthenticated, setToken } = useAuth();
+  const [redirectTo, setRedirectTo] = useState("/");
+
   const code = searchParams.get("code");
   const state = searchParams.get("state");
   const error = searchParams.get("error");
@@ -26,6 +29,7 @@ function AuthCallback() {
     const { token_path } = currentAuthProvider;
     fetchUrl(`${INFRAHUB_API_SERVER_URL}${token_path}?code=${code}&state=${state}`).then(
       (result) => {
+        setRedirectTo(result.final_url);
         setToken(result);
       }
     );
@@ -40,10 +44,14 @@ function AuthCallback() {
   }
 
   if (isAuthenticated) {
-    return <Navigate to="/" replace />;
+    return <Navigate to={redirectTo} replace />;
   }
 
-  return null;
+  return (
+    <div className="w-screen h-screen flex items-center justify-center">
+      <LoadingScreen />
+    </div>
+  );
 }
 
 export const Component = AuthCallback;

frontend/app/src/screens/authentification/sign-in-sso-buttons.tsx

@@ -1,22 +1,34 @@
 import { INFRAHUB_API_SERVER_URL } from "@/config/config";
 import { Provider } from "@/state/atoms/config.atom";
 import { Icon } from "@iconify-icon/react";
+import { useLocation } from "react-router-dom";
 
 export const SignInWithSSOButtons = ({ providers }: { providers: Array<Provider> }) => {
+  let location = useLocation();
+  const redirectTo: string =
+    (location.state?.from?.pathname || "/") + (location.state?.from?.search ?? "");
+
   return (
     <div className="flex flex-col space-y-1 w-full">
       {providers.map((provider) => (
-        <ProviderButton key={provider.name + provider.protocol} provider={provider} />
+        <ProviderButton
+          key={provider.name + provider.protocol}
+          provider={provider}
+          redirectTo={redirectTo}
+        />
       ))}
     </div>
   );
 };
 
-export const ProviderButton = ({ provider }: { provider: Provider }) => {
+export const ProviderButton = ({
+  provider,
+  redirectTo = "/",
+}: { provider: Provider; redirectTo?: string }) => {
   return (
     <a
       className="h-9 px-4 py-2 inline-flex items-center justify-center whitespace-nowrap rounded-md text-sm font-medium disabled:opacity-60 disabled:cursor-not-allowed border bg-custom-white shadow-sm hover:bg-gray-100"
-      href={INFRAHUB_API_SERVER_URL + provider.authorize_path}
+      href={`${INFRAHUB_API_SERVER_URL + provider.authorize_path}?final_url=${redirectTo}`}
     >
       <Icon icon={provider.icon} />
       <span className="ml-2">Sign in with {provider.display_label}</span>