The flow is a bit complex. OAuth is the only allowed login on the Discourse instance. The whole idea is for the user to land back on the site they were before they were asked to create an account on the OAuth server.
It goes like this:
- User clicks
Login
- Thanks to a custom code snippet, it goes directly to the (custom) OAuth server login page
- User clicks
Create an account
and creates an account on the OAuth server - A confirmation e-mail is sent
Meanwhile, the OAuth server stores that when this particular e-mail is confirmed, and as soon as the user logs in again, it must redirect them to https://[discourse-server]/auth/oauth2_basic
to automatically initiate a login process.
The issue is here.
-
When the user clicks the OAuth server confirmation link in the same browser session (used from the first step)
- The user is redirected to
https://[discourse-server]/auth/oauth2_basic
- This starts the OAuth2 login process
- The user ends up on
https://[discourse-server]/?authComplete=true
, connected. - ^ this is the wanted behavior
- The user is redirected to
-
When the user clicks the OAuth server confirmation link in a new browser session
- The user is redirected to
https://[discourse-server]/auth/oauth2_basic
- This starts the OAuth2 login process
- The user ends up on
https://[discourse-server]/?authComplete=true
, connected - The user is somehow redirected to
https://[oauth2-server]/
- ^ this is the issue
- The user is redirected to
A screenshot to go with the text…
Text to go with the screenshot…
- #1 | The user has just confirmed its e-mail and successfully signs in, redirected to its profile page
-
#2 | The profile page is where the custom redirection I was talking about is taking place, so the user is redirected to
https://[discourse-server]/auth/oauth2_basic
- #3 | Discourse then redirects the user back to the OAuth server to initiate the login process
- #4 | OAuth authorization
-
#5 | Discourse callback, redirecting the user to
/?authComplete=true
- #6 | Bunch of assets loading (filtered in the devtools)
- #7 | Boom, out of nowhere, the user is redirected to the OAuth server root path
- #8 | … then redirected to its profile since they’re already logged in
So I’m guessing the extra redirect has something to do with a session-based storage.
Can someone point me to an area of the Discourse codebase where something like this would occur?
I’m already digging but some help would be appreciated. Thanks a lot.