With password login if someone clicks on a URL like https://my.opnsense.fw/ui/auth/user when not logged in they can log in and the correct page will load after they authenticate.
With OIDC, it seems as though the path is ignored and whatever the original URL was the user gets redirected to the dashboard after authenticating.
Is this a configuration error on my end, or is there something missing in the auth flow here?
Thanks.
I suspect this isn't a config error on your side. I'm seeing the same behavior here.
As far as I can tell, the redirect_uri has to be the fixed .../api/oidc/rp/finalize/<appcode> callback, and finalize seems to just create the session and send you to the dashboard. My guess is the originally requested URL simply isn't carried through the round trip (it would need to be stashed in the OAuth state and restored at finalize), so it gets lost—whereas with password login that URL never leaves OPNsense, which would explain why it works there.
I also couldn't find any setting for it: the WebGui/Admin provider only exposes Application code, Service, Extensive log, and Description.
Since it's a Business Edition feature, I assume any fix would have to come from Deciso – probably worth a feature request to preserve the original REQUEST_URI (validated as a local /ui/... path so it can't become an open redirect).
Would you mind opening a feature request so we can look at how this would work technically? https://github.com/opnsense/core/issues/new?template=feature_request.md
At the moment it's unclear how this would work in practice but we can certainly try to implement it once 26.7 is out.
Cheers,
Franco
Thanks, will do. I'll open a feature request on GitHub. But I'm pretty busy right now, so it might take me a few days to get to it. I'll post the link here once it's filed.
Cheers,
Marco
Thank you Marco & Franco.
If I have time to create the feature request I'll let you know here.