Fix OIDC redirect handling after login using RequestCache

tylerjmchugh · tylerjmchugh · commit e3b53b4ce8b4 · 2026-03-06T10:46:57.000-05:00
diff --git a/core/src/main/java/org/fao/geonet/kernel/security/openidconnect/GeonetworkOAuth2LoginAuthenticationFilter.java b/core/src/main/java/org/fao/geonet/kernel/security/openidconnect/GeonetworkOAuth2LoginAuthenticationFilter.java
@@ -37,6 +37,8 @@
 import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
 import org.springframework.security.oauth2.client.web.OAuth2LoginAuthenticationFilter;
 import org.springframework.security.oauth2.core.oidc.user.OidcUser;
+import org.springframework.security.web.savedrequest.RequestCache;
+import org.springframework.security.web.savedrequest.SavedRequest;
 import org.springframework.util.MultiValueMap;
 import org.springframework.web.util.UriComponentsBuilder;
 
@@ -59,6 +61,9 @@ public class GeonetworkOAuth2LoginAuthenticationFilter extends OAuth2LoginAuthen
     @Autowired
     OAuth2SecurityProviderUtil oAuth2SecurityProviderUtil;
 
+    @Autowired
+    RequestCache requestCache;
+
     public GeonetworkOAuth2LoginAuthenticationFilter(ClientRegistrationRepository clientRegistrationRepository, OAuth2AuthorizedClientService authorizedClientService) {
         super(clientRegistrationRepository, authorizedClientService);
     }
@@ -117,24 +122,54 @@ protected void successfulAuthentication(HttpServletRequest request,
         try{
             SecurityContextHolder.getContext().setAuthentication(authResult);
 
+            // Use Spring Security's SavedRequest mechanism to get the original request URL
+            // The request should have been saved by GeonetworkOidcPreAuthActionsLoginFilter before
+            // redirecting the user to the OIDC provider login
+            String redirectURL = null;
+
+            if (requestCache != null) {
+                SavedRequest savedRequest = requestCache.getRequest(request, response);
+                if (savedRequest != null) {
+                    redirectURL = savedRequest.getRedirectUrl();
+                    Log.debug(Geonet.SECURITY, "Retrieved original request from SavedRequest: " + redirectURL);
+                } else {
+                    Log.debug(Geonet.SECURITY, "No SavedRequest found in RequestCache");
+                }
+
+                if (redirectURL != null) {
+                    Log.info(Geonet.SECURITY, "Redirecting to " + redirectURL);
 
-            //cf GN keycloak
-            String redirectURL = findQueryParameter(request, "redirectUrl");
-            if (redirectURL != null) {
-                try {
-                    URI redirectUri = new URI(redirectURL);
-                    if (redirectUri != null && !redirectUri.isAbsolute()) {
-                        response.sendRedirect(redirectUri.toString());
-                    } else {
-                        // If the redirect url ends up being null or absolute url then lets redirect back to the context home.
-                        Log.warning(Geonet.SECURITY, "Failed to perform login redirect to '" + redirectURL + "'. Redirected to context home");
+                    // Removing original request, since we want to
+                    // retain current headers.
+                    // If request remains in cache, requestCacheFilter
+                    // will reinstate the original headers and we don't
+                    // want it.
+                    requestCache.removeRequest(request, response);
+
+                    response.sendRedirect(redirectURL);
+                }
+            } else {
+                Log.debug(Geonet.SECURITY, "RequestCache is not available");
+
+                redirectURL = findQueryParameter(request, "redirectUrl");
+                if (redirectURL != null) {
+                    Log.debug(Geonet.SECURITY, "Retrieved redirect URL from query parameter: " + redirectURL);
+
+                    try {
+                        URI redirectUri = new URI(redirectURL);
+                        if (!redirectUri.isAbsolute()) {
+                            response.sendRedirect(redirectUri.toString());
+                        } else {
+                            // If the redirect url ends up being null or absolute url then lets redirect back to the context home.
+                            Log.warning(Geonet.SECURITY, "Failed to perform login redirect to '" + redirectURL + "'. Redirected to context home");
+                            response.sendRedirect(request.getContextPath());
+                        }
+                    } catch (URISyntaxException e) {
                         response.sendRedirect(request.getContextPath());
                     }
-                } catch (URISyntaxException e) {
+                } else {
                     response.sendRedirect(request.getContextPath());
                 }
-            } else {
-                response.sendRedirect(request.getContextPath());
             }
 
             // Set users preferred locale if it exists. - cf. keycloak
diff --git a/core/src/main/java/org/fao/geonet/kernel/security/openidconnect/GeonetworkOidcPreAuthActionsLoginFilter.java b/core/src/main/java/org/fao/geonet/kernel/security/openidconnect/GeonetworkOidcPreAuthActionsLoginFilter.java
@@ -22,19 +22,18 @@
  */
 package org.fao.geonet.kernel.security.openidconnect;
 
-import org.fao.geonet.Constants;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.authentication.AnonymousAuthenticationToken;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
 import org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestRedirectFilter;
+import org.springframework.security.web.savedrequest.RequestCache;
 
 import javax.servlet.*;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpSession;
 import java.io.IOException;
-import java.net.URLEncoder;
 import org.apache.commons.lang3.StringUtils;
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 import org.springframework.web.context.ServletContextAware;
@@ -57,6 +56,8 @@ public class GeonetworkOidcPreAuthActionsLoginFilter  implements Filter, Servlet
     @Autowired
     private  ClientRegistrationRepository clientRegistrationRepository;
 
+    @Autowired
+    private RequestCache requestCache;
 
     /**
      * The servlet context parameter name that contains the excluded URL paths.
@@ -127,11 +128,12 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha
             .anyMatch(matcher -> matcher.matches(servletRequest));
 
         if (!isAuthenticated && !isLoginRequest && !isPublicEndpoint && !isBearerTokenAccess) {
-            String returningUrl = requestUri +
-                (servletRequest.getQueryString() == null ? "" : "?" + servletRequest.getQueryString());
+            // Save the original request so it can be retrieved after successful authentication
+            if (requestCache != null) {
+                requestCache.saveRequest(servletRequest, servletResponse);
+            }
 
-            String redirectUrl = loginPath + "?redirectUrl=" + URLEncoder.encode(returningUrl, Constants.ENCODING);
-            servletResponse.sendRedirect(redirectUrl);
+            servletResponse.sendRedirect(loginPath);
             return;
         }
 
