Contrib.social

Set destination request parameter as part of login

Open on Drupal.org β†’
Created on 18 June 2025, 7 months ago

Problem/Motivation

We're encountering an issue specifically with the Dashboard module right now (but it could occur with others). The Dashboard module by default uses a login hook to check for a destination parameter on the current request. If the destination is set, it does nothing. However, if it is not set, it sets a destination to a dashboard.

From what I can tell, the SAML Auth module gets the value of the destination from the original request, unsets it, sends it as part of the SAML request, gets it back in the response, and then uses a RedirectResponse to achieve the post-login destination functionality.

Because SAML Auth never sets the destination parameter back on the request, modules with functionality like Dashboard will always supersede the originally intended post-login destination.

Steps to reproduce

1. Install the dashboard module on a site with SAML Auth
2. Create a basic dashboard
3. Login with SAML with a destination parameter
4. Instead of being redirected to the destination, you're redirected to a dashboard.

Proposed resolution

Add the redirect URL back to the request chain as the destination.

I don't claim to know too much about the SAML Auth functionality and I apologize if this isn't possible. We are also thinking about adding an option into the Dashboard module to disable the auto-redirection as a configuration setting and see if it's something the maintainers would be interested in.

✨ Feature request
Status

Active

Version

3.11

Component

Code

Created by

πŸ‡ΊπŸ‡ΈUnited States joegl

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @joegl
  • Comment 7 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States joegl
  • Comment 7 months ago β†’
    πŸ‡³πŸ‡±Netherlands roderik Amsterdam,NL / Budapest,HU

    Thanks for the refference code, I could have a quick thought and get over my initial hesitation.

    Does this work instead? See patch file (untested code, quickly hacked together). After login, I assume we still get to this code block and can remove the 'destination' that was set by the Dashboard module. I assume this code is still executed with Dashboard module installed.

    Gives better separation of concerns / we can keep this in the Controller class, because

    • I would rather only set the destination parameter as you suggested, if the SAML login was successful
    • But that would mean this would need to be somewhere in the middle of the login code, in SamlService.
  • Comment 7 months ago β†’
    πŸ‡³πŸ‡±Netherlands roderik Amsterdam,NL / Budapest,HU

    FWIW:

    I just realized this patch, technically, constitutes a behavior change, which I should document.

    Now, IF a RelayState is set in the IDP response / post request, then hook code can still override it by setting a 'destination' on the current request. After this change, that will be impossible. (If someone really wants to do this, they'll have to do more work == implement some event subscriber.)

    In practice, this translates to; the DESTINATION in /saml/login?destination=DESTINATION will override any hook code that sets a 'destination' on the current request. (Whereas right now, it does not.)

    I think we actually want that.

  • Comment 7 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States joegl

    Thanks Roderick -- this does look like exactly what we need. I agree this sounds like it should be the default behavior, but is it something that would fit as a toggle-able configuration option that's on by default?

    I will see if I have time to test the patch today otherwise I'll have to wait until next week.

  • Comment 7 months ago β†’
    πŸ‡³πŸ‡±Netherlands roderik Amsterdam,NL / Budapest,HU

    Nice. I'll set "needs review" which is actually needs testing... and wait. Then when that's done, merge*... and include in a release later on.

    * (For this specific issue, I'm not too concerned about the exact MR flow because the change is small and -in the current module state- does not need automated tests.)

    Feature flag is possible, but I think I'm OK with just implementing it and publishing a change record. This feels like an edge case. It's possible that some people experience a behavior change, but the impact should be quite small. And "now actually redirecting to where the POST request from the IdP says", shouldn't cause real breakage / doesn't have security implications.

  • Comment 7 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States joegl

    I've added the patch and tested it. It is working as expected.

    I changed the issue title to better align with the work you did here, although it may still need some tweaking.

  • Comment 7 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States joegl
  • Comment 7 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States joegl
  • Status changed to Fixed 17 days ago
contrib.social Blog FAQ Discussions
Production build 0.71.5 2024