We have a requirement to use OIDC as the framework for Identity Federation where CDC will act as an Open ID Provider (OP). Also, the requirement mentions that after successful authentication of the user, he/she should be redirected back to the correct sub-page from where the flow was initiated.
As our proposed solution, while making a call to OP Authorization endpoint (then to Proxy page), we are passing the value of redirect URL parameter dynamically and have whitelisted the complete domain in Redirect URL section in the configuration of the RP client.
However, each time the Proxy page tries to redirect to this dynamic URL, it always moves to the error page saying the URL is not whitelisted. If we whitelist a static URL, and pass it through proxy page then it works as expected.
It seems CDC isn't supporting dynamic redirection after OIDC login or is there something we are missing here? If former is the case, could this scenario be accomplished anyhow?
Thanks and Regards,
This is part of the OIDC standard where redirectUrl need to be an exact string match. This is done as a security precaution to prevent open redirect attack vectors.
If you want to customize the behavior post the redirect, you can use the state parameter to pass data that will be returned after the redirection back to the RP occurs.
Static URL does not mean you cannot implement dynamic behaviors.
For instance, you can put a static redirect URL like "https://www.mydomain.com/myredirect", and implement the /mydirect URL by your backend codes like SpringMVC controller or PHP codes, and from your backend codes, you can implement whatever redirecting logic you like.