My Web application redirects to a ServiceNow app and uses SSO to login. I want the user to be redirected to certain content on the ServiceNow platform.
Redirect URL: app?sys_kb_id=d34cecb01bdcd0102fsw&id=kb_article_view&sysparam_rank=1 &sysparam_tsqueryId=37ac2ea11b6689d4db49f2
The problem I am facing is that the redirect URL gets trimmed to the first parameter. This is because of the workflow that has been used and the usage of &.
The workflow we use in ServiceNow is as follows,
logout --> login with sso --> auth redirect
This workflow is important because the clients use the web application on shared hardware. To prevent cross-user access we logout the current user every time the ServiceNow application is opened.
https://example.service-now.com/logout.do?glide_sso_id=<sso-id>&logout_first=true&sysparm_goto_url=%2Flogin_with_sso.do%3Fglide_sso_id%3D<sso-id>%26login_redirect_uri%3Dapp%3Fsys_kb_id%3Dd34cecb01bdcb0102f09986a23shak90%26id%3Dkb_article_view%26sysparm_rank%3D1%26sysparm_tsqueryId%3D37ac2ea11b6689d4db49f2ff034jls72
Payload:{
sysparm_goto_url=%2Flogin_with_sso.do%3Fglide_sso_id%3D<sso-id>%26login_redirect_uri%3Dmyhr%3Fsys_kb_id%3Dd34cecb01bdcb0102f09986a23shak90%26id%3Dkb_article_view%26sysparm_rank%3D1%26sysparm_tsqueryId%3D37ac2ea11b6689d4db49f2ff034jls72
}
https://example.service-now.com/login_with_sso.do?glide_sso_id=<sso-id>&login_redirect_uri=app?sys_kb_id=d34cecb01bdcb0102f09986a23shak90&id=kb_article_view&sysparm_rank=1&sysparm_tsqueryId=37ac2ea11b6689d4db49f2ff034jls72
Payload: {
login_redirect_uri=app?sys_kb_id=d34cecb01bdcb0102f09986a23shak90&id=kb_article_view&sysparm_rank=1&sysparm_tsqueryId=37ac2ea11b6689d4db49f2ff034jls72
}
The login API parses the redirect URL, this causes the encoded URL characters to be decoded.
Because of the "&" character in the redirect URL, the URL breaks into separate query parameters,
requiredRedirectUrl: app?sys_kb_id=d34cecb01bdcb0102f09986a23shak90&id=kb_article_view&sysparm_rank=1&sysparm_tsqueryId=37ac2ea11b6689d4db49f2ff034jls72
actualRedirectUrl: app?sys_kb_id=d34cecb01bdcb0102f09986a23shak90
++ id=kb_article_view
++ sysparm_rank=1
++ sysparm_tsqueryId=37ac2ea11b6689d4db49f2ff034jls72
Because the redirect URL is incomplete, the user comes to the landing page and not to the content page.
RequiredEndUrl: https://example.service-now.com/app?sys_kb_id=d34cecb01bdcb0102f09986a23shak90&id=kb_article_view&sysparm_rank=1&sysparm_tsqueryId=37ac2ea11b6689d4db49f2ff034jls72
ActualEndUrl: https://example.service-now.com/app?sys_kb_id=d34cecb01bdcb0102f09986a23shak90
Is there any way to ensure that the Redirect URL is not decoded by the Login API?
Or is there another method to achieve the requirement.
I found a fix for this. The issue was that the logout API decodes the redirect URL before calling the login API, this causes an issue because the characters like "&" are not escaped.
I encoded the redirect URL twice (Double Encode URL) and then added it to the logout request. With this when URL is decoded initially the characters still remain escaped, and the actual redirect URL is sent to the last API call.
Redirect URL: app?sys_kb_id=d34cecb01bdcb0102f09986a23shak90&id=kb_article_view&sysparm_rank=1&sysparm_tsqueryId=37ac2ea11b6689d4db49f2ff034jls72
Double Encoded URL: app%253Fsys_kb_id%253Dd34cecb01bdcb0102f09986a23shak90%2526id%253Dkb_article_view%2526sysparm_rank%253D1%2526sysparm_tsqueryId%253D37ac2ea11b6689d4db49f2ff034jls72