[MGNLSSO-83] Admincentral URLs are not kept after login Created: 29/Sep/21  Updated: 08/Mar/23

Status: Open
Project: Single Sign On
Component/s: None
Affects Version/s: 2.0
Fix Version/s: None

Type: Bug Priority: Neutral
Reporter: Jonathan Ayala Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Relates
relates to MGNLSSO-32 Further securityCallback research Accepted
causality
Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled
Date of First Response:
Epic Link: SSO support for custom IdPs
Team: AdminX

 Description   

Steps to reproduce

  1. Logout from the system
  2. Hit directl url like: https://demoauthor.magnolia/cms.com/.magnolia/admincentral/any/sub/path?any_param=any_value
  3. Login via SSO provider

Expected results

After login you are redirected to pages app

https://demoauthor.magnolia/cms.com/.magnolia/admincentral/any/sub/path?any_param=any_value

Actual results

After login you are redirected to admincentral home

https://demoauthor.magnolia/cms.com/.magnolia/admincentral

Developer note:

Without sso it works fine

https://demo.magnolia-cms.com/.magnolia/admincentral#app:pages-app:browser;/travel::

here is the problematic link behind sso (for testing issue purpose)
https://author-statuspage.beta.de.magnolia-cloud.com/.magnolia/admincentral#app:pages-norsu-app:browser;/website/test-norsu-page::



 Comments   
Comment by Maxime Michel [ 29/Sep/21 ]

Unfortunately, I don't see how this could be implemented. The #app:pages-app part of the URL is not sent by the browser to backend servers. In Admincentral, we get it thanks to Vaadin's client-side communication. But Vaadin is not available to intercept this value when Magnolia's login filter forwards to Keycloak. Hence, whether there is an URL fragment or not in the URL yields the exact same .magnolia/admincentral target URL.

Comment by Boris Faniuk [ 29/Sep/21 ]

Hello, Maxime and Jonathan! 

I understand that hash value is not sent server, that's why implementing this with current hash-based urls is not possible.

What I am thinking is implementing question mark based urls.

Maybe this is not directly SSO project related task, but I assume that usability of  SSO module would benefit a lot from this.

Comment by Maxime Michel [ 05/Oct/21 ]

Hi bfaniuk, I think the following flow would be doable:

  • we refactor the module so that the target Admincentral URL allows for some sort of placeholder, i.e. /.magnolia/admincentral?target_app=PAGES
  • behind the scenes, this URL is converted into /.magnolia/admincentral#app:pages-app

However, the overall architecture appears clumsy to me. Also, it would require that the IDP knows about all possibly ?target_app=* URLs. Either with a wildcard, which is not recommended for security purposes and not even possible with some providers, or by maintaining the list manually.

Wouldn't it be easier on your side to implement some sort of portal so that your users first login with the IDP? Once that is taken care of, they can access Pages any other app like they would on a non-SSO instance, i.e. either by reusing an URL from their history, or with a bookmark.

Best,
Maxime

Comment by Boris Faniuk [ 05/Oct/21 ]

Hello, Maxime!

we refactor the module so that the target Admincentral URL allows for some sort of placeholder, i.e. /.magnolia/admincentral?target_app=PAGES
I think that "placeholder"-based solution would work very well!

it would require that the IDP knows about all possibly ?target_app= URLs*
We have "state" parameter in the whole auth flow.
What about implementing custom StateGenerator that would encrypt the path to the actual app into the state parameter?
Auth callback servlet receives the state and then we can extract the path and redirect correctly.

portal so that your users first login with the IDP
This solution is obviously not very user-friendly and I would not imagine explaining this to our editors.
Besides, this would not work if e.g. session times out and in best scenario user just has to press F5 in browser. Together with our SUPPORT-13741 issue this is very much relevant.

So, I would go the path you proposed + custom state generator.

Thanks!

Comment by Maxime Michel [ 11/Oct/21 ]

Hi Boris,

I am reopening this ticket and updating the description so that the SSO module allows the user to be redirected to any requested page, not just ./magnolia/admincentral. This will not solve your use case because it will not work with hashes, but it's a step in the right direction. Once it is implemented, we can test the placeholder-based and state-based approaches.

Best,
Maxime

Generated at Mon Feb 12 10:50:57 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.