GitLab

Myself and @plup fixed a bug just now with a user who had a default_redirect_uri which was taking them back to the OIDC authorize view with an old (now invalid) client_id. So they successfully login, and they're taken back to an invalid screen

There was a similar issue where an error string was included in the redirect URI and this led people

The default_redirect_uri was included on the user model as a mechanism to know where to redirect someone when none was passed in with the request (especially on federated login - the idea was that I visit one client application, I'm redirected to my identity provider, but the client didn't pass in that request where to redirect them back, so it looks at the last lodged in app stored as default_redirect_uri. Clearly if this has been set to an error URI then it will look like I've hit an error!)