[MGNLSSO-83] Admincentral URLs are not kept after login Created: 29/Sep/21 Updated: 08/Mar/23 |
|
| Status: | Open |
| Project: | Single Sign On |
| Component/s: | None |
| Affects Version/s: | 2.0 |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Neutral |
| Reporter: | Jonathan Ayala | Assignee: | Unassigned |
| Resolution: | Unresolved | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||
| Template: | |||||||||||||
| Acceptance criteria: |
Empty
|
||||||||||||
| Task DoD: |
[ ]*
Doc/release notes changes? Comment present?
[ ]*
Downstream builds green?
[ ]*
Solution information and context easily available?
[ ]*
Tests
[ ]*
FixVersion filled and not yet released
[ ] 
Architecture Decision Record (ADR)
|
||||||||||||
| Bug DoR: |
[ ]*
Steps to reproduce, expected, and actual results filled
[ ]*
Affected version filled
|
||||||||||||
| Date of First Response: | |||||||||||||
| Epic Link: | SSO support for custom IdPs | ||||||||||||
| Team: | |||||||||||||
| Description |
Steps to reproduce
Expected resultsAfter login you are redirected to pages app https://demoauthor.magnolia/cms.com/.magnolia/admincentral/any/sub/path?any_param=any_value Actual resultsAfter login you are redirected to admincentral home https://demoauthor.magnolia/cms.com/.magnolia/admincentral Developer note: Without sso it works fine https://demo.magnolia-cms.com/.magnolia/admincentral#app:pages-app:browser;/travel:: here is the problematic link behind sso (for testing issue purpose) |
| Comments |
| Comment by Maxime Michel [ 29/Sep/21 ] |
|
Unfortunately, I don't see how this could be implemented. The #app:pages-app part of the URL is not sent by the browser to backend servers. In Admincentral, we get it thanks to Vaadin's client-side communication. But Vaadin is not available to intercept this value when Magnolia's login filter forwards to Keycloak. Hence, whether there is an URL fragment or not in the URL yields the exact same .magnolia/admincentral target URL. |
| Comment by Boris Faniuk [ 29/Sep/21 ] |
|
Hello, Maxime and Jonathan! I understand that hash value is not sent server, that's why implementing this with current hash-based urls is not possible. What I am thinking is implementing question mark based urls. Maybe this is not directly SSO project related task, but I assume that usability of SSO module would benefit a lot from this. |
| Comment by Maxime Michel [ 05/Oct/21 ] |
|
Hi bfaniuk, I think the following flow would be doable:
However, the overall architecture appears clumsy to me. Also, it would require that the IDP knows about all possibly ?target_app=* URLs. Either with a wildcard, which is not recommended for security purposes and not even possible with some providers, or by maintaining the list manually. Wouldn't it be easier on your side to implement some sort of portal so that your users first login with the IDP? Once that is taken care of, they can access Pages any other app like they would on a non-SSO instance, i.e. either by reusing an URL from their history, or with a bookmark. Best, |
| Comment by Boris Faniuk [ 05/Oct/21 ] |
|
Hello, Maxime! we refactor the module so that the target Admincentral URL allows for some sort of placeholder, i.e. /.magnolia/admincentral?target_app=PAGES it would require that the IDP knows about all possibly ?target_app= URLs* portal so that your users first login with the IDP So, I would go the path you proposed + custom state generator. Thanks! |
| Comment by Maxime Michel [ 11/Oct/21 ] |
|
Hi Boris, I am reopening this ticket and updating the description so that the SSO module allows the user to be redirected to any requested page, not just ./magnolia/admincentral. This will not solve your use case because it will not work with hashes, but it's a step in the right direction. Once it is implemented, we can test the placeholder-based and state-based approaches. Best, |