From f6dad7b7dfe7c6a1350cda965b0ab90ed57f51ec Mon Sep 17 00:00:00 2001
From: Dannon Baker <dannon.baker@gmail.com>
Date: Tue, 3 Dec 2024 22:18:09 -0500
Subject: [PATCH 1/3] Pass redirect_uri back to authnz login

---
 .../User/ExternalIdentities/ExternalLogin.vue         | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/client/src/components/User/ExternalIdentities/ExternalLogin.vue b/client/src/components/User/ExternalIdentities/ExternalLogin.vue
index 6b688a9883fb..5ef028d34618 100644
--- a/client/src/components/User/ExternalIdentities/ExternalLogin.vue
+++ b/client/src/components/User/ExternalIdentities/ExternalLogin.vue
@@ -77,7 +77,16 @@ async function submitOIDCLogin(idp: string) {
     loading.value = true;
 
     try {
-        const { data } = await axios.post(withPrefix(`/authnz/${idp}/login`));
+        const loginUrl = withPrefix(`/authnz/${idp}/login`);
+        const urlParams = new URLSearchParams(window.location.search);
+        const redirectParam = urlParams.get("redirect");
+
+        const formData = new FormData();
+        formData.append("next", redirectParam || "");
+
+        const { data } = await axios.post(loginUrl, formData, { withCredentials: true });
+
+        console.debug("LOGIN POST DATA", data);
 
         if (data.redirect_uri) {
             window.location = data.redirect_uri;

From bafcc91ee677c551415e79229756cd6a7e951c11 Mon Sep 17 00:00:00 2001
From: Dannon Baker <dannon.baker@gmail.com>
Date: Wed, 4 Dec 2024 08:56:08 -0500
Subject: [PATCH 2/3] Add support for storing and retrieving login redirect URI
 in cookies

---
 lib/galaxy/webapps/galaxy/controllers/authnz.py | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/lib/galaxy/webapps/galaxy/controllers/authnz.py b/lib/galaxy/webapps/galaxy/controllers/authnz.py
index 1abcc722ce65..6467ae500429 100644
--- a/lib/galaxy/webapps/galaxy/controllers/authnz.py
+++ b/lib/galaxy/webapps/galaxy/controllers/authnz.py
@@ -19,6 +19,7 @@
 log = logging.getLogger(__name__)
 
 PROVIDER_COOKIE_NAME = "galaxy-oidc-provider"
+LOGIN_NEXT_COOKIE_NAME = "galaxy-oidc-login-next"
 
 
 class OIDC(JSAppLauncher):
@@ -77,7 +78,9 @@ def login(self, trans, provider, idphint=None):
             msg = "Login to Galaxy using third-party identities is not enabled on this Galaxy instance."
             log.debug(msg)
             return trans.show_error_message(msg)
-        success, message, redirect_uri = trans.app.authnz_manager.authenticate(provider, trans, idphint=idphint)
+        if next:
+            trans.set_cookie(value=next, name=LOGIN_NEXT_COOKIE_NAME)
+        success, message, redirect_uri = trans.app.authnz_manager.authenticate(provider, trans, idphint)
         if success:
             return {"redirect_uri": redirect_uri}
         else:
@@ -86,6 +89,7 @@ def login(self, trans, provider, idphint=None):
     @web.expose
     def callback(self, trans, provider, idphint=None, **kwargs):
         user = trans.user.username if trans.user is not None else "anonymous"
+        login_next = url_for(trans.get_cookie(name=LOGIN_NEXT_COOKIE_NAME) or "/")
         if not bool(kwargs):
             log.error(f"OIDC callback received no data for provider `{provider}` and user `{user}`")
             return trans.show_error_message(
@@ -110,7 +114,7 @@ def callback(self, trans, provider, idphint=None, **kwargs):
                 kwargs.get("state", " "),
                 kwargs["code"],
                 trans,
-                login_redirect_url=url_for("/"),
+                login_redirect_url=login_next,
                 idphint=idphint,
             )
         except exceptions.AuthenticationFailed:

From 66fc7a6fc8f29a6122df29abcf4e224e59784754 Mon Sep 17 00:00:00 2001
From: Dannon Baker <dannon.baker@gmail.com>
Date: Wed, 4 Dec 2024 10:31:05 -0500
Subject: [PATCH 3/3] Fix method sig, cleanup

---
 client/src/components/User/ExternalIdentities/ExternalLogin.vue | 2 --
 lib/galaxy/webapps/galaxy/controllers/authnz.py                 | 2 +-
 2 files changed, 1 insertion(+), 3 deletions(-)

diff --git a/client/src/components/User/ExternalIdentities/ExternalLogin.vue b/client/src/components/User/ExternalIdentities/ExternalLogin.vue
index 5ef028d34618..2bcf4c1f4b5a 100644
--- a/client/src/components/User/ExternalIdentities/ExternalLogin.vue
+++ b/client/src/components/User/ExternalIdentities/ExternalLogin.vue
@@ -86,8 +86,6 @@ async function submitOIDCLogin(idp: string) {
 
         const { data } = await axios.post(loginUrl, formData, { withCredentials: true });
 
-        console.debug("LOGIN POST DATA", data);
-
         if (data.redirect_uri) {
             window.location = data.redirect_uri;
         }
diff --git a/lib/galaxy/webapps/galaxy/controllers/authnz.py b/lib/galaxy/webapps/galaxy/controllers/authnz.py
index 6467ae500429..af7330e5c0c0 100644
--- a/lib/galaxy/webapps/galaxy/controllers/authnz.py
+++ b/lib/galaxy/webapps/galaxy/controllers/authnz.py
@@ -73,7 +73,7 @@ def index(self, trans, **kwargs):
 
     @web.json
     @web.expose
-    def login(self, trans, provider, idphint=None):
+    def login(self, trans, provider, idphint=None, next=None):
         if not trans.app.config.enable_oidc:
             msg = "Login to Galaxy using third-party identities is not enabled on this Galaxy instance."
             log.debug(msg)