Problem with customizing redirect_uri

I am using OpenId Connect. When a user navigates to some Url in our app, after the login we want the user to get redirected back to the original Url they navigated to.

For doing that, I tried the following - it’s also described at stackoverflow.

Notifications = new OpenIdConnectAuthenticationNotifications
{
RedirectToIdentityProvider = async n =>
{
n.ProtocolMessage.RedirectUri =
String.Format("{0}?ReturnUrl={1}", _oktaRedirectUrl, HttpUtility.UrlEncode(n.OwinContext.Request.Uri.ToString()));
},
…

In the above, _oktaRedirectUrl is the Uri that is whitelisted in the client app settings.

When I run this I get the following error from Okta:

Error Code: invalid_request

Description: The ‘redirect_uri’ parameter must be an absolute URI that is whitelisted in the client app settings.

Any suggestions on resolving the above problem or some other way of implementing it? Thx.

The redirect uri must not have dynamic query string parameters on it per the OAuth specification to guard against tampering by attackers. That’s why the redirect uri you define at Okta for whitelisting must be absolute.

There is a technique to use the state parameter to carry csrf protection (its intended propose) as well as additional information (like where to send the user after the redirection) using jwts.

This approach is outlined here: https://tools.ietf.org/html/draft-bradley-oauth-jwt-encoded-state-09

Thanks for the link, that approach works.

The Okta API doesn’t allow many characters in the state, so you can’t make the state a JWT. How can this OAuth approach be applied within the Okta implementation?