From 3e5dd446cb0a2f57fbb4a169f0f9bf2aa998cf9d Mon Sep 17 00:00:00 2001
From: William Petit <wpetit@cadoles.com>
Date: Fri, 24 May 2024 15:27:43 +0200
Subject: [PATCH] feat(authn-oidc): use relative redirection to prevent
 internal/public host mixing

---
 internal/proxy/director/layer/authn/oidc/client.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/internal/proxy/director/layer/authn/oidc/client.go b/internal/proxy/director/layer/authn/oidc/client.go
index afa2f56..947a56b 100644
--- a/internal/proxy/director/layer/authn/oidc/client.go
+++ b/internal/proxy/director/layer/authn/oidc/client.go
@@ -2,6 +2,7 @@ package oidc
 
 import (
 	"bytes"
+	"fmt"
 	"net/http"
 	"net/url"
 	"strings"
@@ -74,7 +75,7 @@ func (c *Client) login(w http.ResponseWriter, r *http.Request, sess *sessions.Se
 
 	sess.Values[sessionKeyLoginState] = state
 	sess.Values[sessionKeyLoginNonce] = nonce
-	sess.Values[sessionKeyPostLoginRedirectURL] = originalURL.String()
+	sess.Values[sessionKeyPostLoginRedirectURL] = fmt.Sprintf("%s?%s", originalURL.Path, originalURL.Query().Encode())
 
 	if err := sess.Save(r, w); err != nil {
 		logger.Error(ctx, "could not save session", logger.E(errors.WithStack(err)))