default_redirect_uri can become invalid
Myself and @plup fixed a bug just now with a user who had a default_redirect_uri
which was taking them back to the OIDC authorize
view with an old (now invalid) client_id
. So they successfully login, and they're taken back to an invalid screen
There was a similar issue where an error string was included in the redirect URI and this led people
The default_redirect_uri
was included on the user model as a mechanism to know where to redirect someone when none was passed in with the request (especially on federated login - the idea was that I visit one client application, I'm redirected to my identity provider, but the client didn't pass in that request where to redirect them back, so it looks at the last lodged in app stored as default_redirect_uri
. Clearly if this has been set to an error URI then it will look like I've hit an error!)