Re: [openstreetmap/openstreetmap-website] `oauth_return_url` gets lost during registration (Issue #6130)

Wed, 25 Jun 2025 02:56:01 -0700 

tordans left a comment (openstreetmap/openstreetmap-website#6130)

> Do you have any idea when it changed?

Unfortunately not. I know that it worked when we had the old design because 
that is when we documented the flow in a PDF. 
I looked at the history a bit but nothing stood out to me.

> I think the double `?` is a red herring - there is one parameter who's value 
> is a URL that includes parameters.

I just checked again: Its actually only one `?` and all the rest is encoded in 
the `referrer` param.
The initial URL is

```url
https://master.apis.dev.openstreetmap.org/login
?referer=%2Foauth2%2Fauthorize%3Fclient_id%3DuglV_cJniuc96GQT0-rO6sXsgJPZfat8PLCfv91qRC4%26scope%3Dopenid%2520read_prefs%2520write_prefs%2520write_notes%26response_type%3Dcode%26redirect_uri%3Dhttps%253A%252F%252Fstaging.tilda-geo.de%252Fapi%252Fauth%252Fosm%252Fcallback%26nextauth%3Dosm%252Clogin%26state%3DjIO5g3txGqwx9umk9-zTr7nlhTJ-WxvfWjFqhKcGRF0%26code_challenge%3DQAKZO5APd7JZDsaYnWi1tizaLkUxZjQkivX9IYRbx8E%26code_challenge_method%3DS256
```

Which decodes to …

```url
https://master.apis.dev.openstreetmap.org/login
?referer=/oauth2/authorize
  ?client_id=uglV_cJniuc96GQT0-rO6sXsgJPZfat8PLCfv91qRC4
  &scope=openid%20read_prefs%20write_prefs%20write_notes
  
&response_type=code&redirect_uri=https%3A%2F%2Fstaging.tilda-geo.de%2Fapi%2Fauth%2Fosm%2Fcallback&nextauth=osm%2Clogin
  &state=jIO5g3txGqwx9umk9-zTr7nlhTJ-WxvfWjFqhKcGRF0
  &code_challenge=QAKZO5APd7JZDsaYnWi1tizaLkUxZjQkivX9IYRbx8E
  &code_challenge_method=S256
```

The URL from the email is then…

```
https://master.apis.dev.openstreetmap.org/user/test10tobias/confirm
?confirm_string=eyJfcmFpbHMiOnsiZGF0YSI6WzIyMzUwLCJiZGE1Y2RiZWUxYjYxMjQ4ZDE1Nzg5YjAwNWU0NGFkNGI0ZjRkYjBiNGI1MjI0NGYzMTMyNmQ3ZGExMDZiNzE0Il0sImV4cCI6IjIwMjUtMDctMDJUMDk6Mjc6NTguOTk4WiIsInB1ciI6IlVzZXJcbm5ld191c2VyXG42MDQ4MDAifX0%3D--261db9030dd0adf43c8b204c33f945ca0ce27dd3
&referer=%2Fwelcome%3Foauth_return_url%3D%252Foauth2%252Fauthorize%253Fclient_id%253DuglV_cJniuc96GQT0-rO6sXsgJPZfat8PLCfv91qRC4%2526scope%253Dopenid%252520read_prefs%252520write_prefs%252520write_notes%2526response_type%253Dcode%2526redirect_uri%253Dhttps%25253A%25252F%25252Fstaging.tilda-geo.de%25252Fapi%25252Fauth%25252Fosm%25252Fcallback%2526nextauth%253Dosm%25252Clogin%2526state%253DjIO5g3txGqwx9umk9-zTr7nlhTJ-WxvfWjFqhKcGRF0%2526code_challenge%253DQAKZO5APd7JZDsaYnWi1tizaLkUxZjQkivX9IYRbx8E%2526code_challenge_method%253DS256
```

Which (twice) decodes to…

```url
https://master.apis.dev.openstreetmap.org/user/test10tobias/confirm
?confirm_string=eyJfcmFpbHMiOnsiZGF0YSI6WzIyMzUwLCJiZGE1Y2RiZWUxYjYxMjQ4ZDE1Nzg5YjAwNWU0NGFkNGI0ZjRkYjBiNGI1MjI0NGYzMTMyNmQ3ZGExMDZiNzE0Il0sImV4cCI6IjIwMjUtMDctMDJUMDk6Mjc6NTguOTk4WiIsInB1ciI6IlVzZXJcbm5ld191c2VyXG42MDQ4MDAifX0=--261db9030dd0adf43c8b204c33f945ca0ce27dd3
&referer=/welcome
  ?oauth_return_url=/oauth2/authorize
    ?client_id=uglV_cJniuc96GQT0-rO6sXsgJPZfat8PLCfv91qRC4
      &scope=openid%20read_prefs%20write_prefs%20write_notes
      &response_type=code
      
&redirect_uri=https%3A%2F%2Fstaging.tilda-geo.de%2Fapi%2Fauth%2Fosm%2Fcallback
      &nextauth=osm%2Clogin
      &state=jIO5g3txGqwx9umk9-zTr7nlhTJ-WxvfWjFqhKcGRF0
      &code_challenge=QAKZO5APd7JZDsaYnWi1tizaLkUxZjQkivX9IYRbx8E
      &code_challenge_method=S256
```


-- 
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/issues/6130#issuecomment-3004092262
You are receiving this because you are subscribed to this thread.

Message ID: 
<openstreetmap/openstreetmap-website/issues/6130/3004092...@github.com>
_______________________________________________
rails-dev mailing list
rails-dev@openstreetmap.org
https://lists.openstreetmap.org/listinfo/rails-dev

Reply via email to