Normally I have to register the authorize callback url/redirect_url at my IdP.
But what if that redirect_url is always the one the user tried to activate in an unauthorized state, that would mean I would have to register all 1000 possible routes at my IdP.
That can not a be solution!
So what can I do else?
UPDATE
I use the implicit flow which is for javascript based apps.
I don't know which flow you are using. I will assume the implicit flow but this solution can be adapted.
Most clients solve this by having a special http://mypage/login-callback route. So you only register this route as redirect_uri. Before redirecting to the OIDC authentication endpoint you "save" the route the user requested. Either by setting a cookie or storing it on sessionstorage. Once redirected to the login-callback you extract the token(s) and check for the cookie/localstorage key, then do another redirect.
Here's a random angular example using oidc-client:
async completeAuthenticationAsync() {
// complete login, get tokens etc...
this.user = await this.manager.signinRedirectCallback();
this.emitState();
// check for previously saved URI
var redirect = sessionStorage.getItem("auth:redirect");
if(redirect){
// redirect to route - this is using the angular router
sessionStorage.removeItem("auth:redirect")
this.router.navigate([redirect]);
}
else {
// redirect to start page
this.router.navigate([""]);
}
}
Edit: Since you are looking for offical sources and you tagged Identity Server 4, they do the double redirect in their Javascript client example: http://docs.identityserver.io/en/release/quickstarts/7_javascript_client.html