I spent quite some time figuring this one out and I wanted to document some observations in this ticket. Maybe it helps other people or can be used for cross-referencing.
/**
* The global redirect URL to use.
*
* By default uses the location of the browser, but removes fragment, query and
* trailing slash.
* The fragment conflicts with the fragment appended by the Implicit Flow and
* the query conflicts with the query appended by the Authorization Code Flow.
* The trailing slash is removed for consistency.
*
* @type {string}
*/
OidcProvider.redirectUrl = Environment.getUrl().split('#')[0].split('?')[0].replace(/\/$/, '');
For example if you host the web editor at https://example.com/ (note the trailing slash), the redirect URI that will be passed through in the OIDC auth code dance will be https://example.com without trailing slash.
So in the redirect URI allow list of your OIDC client configuration, you should have https://example.com (without trailing slash). (Same actually for the "web origin"
I spent quite some time figuring this one out and I wanted to document some observations in this ticket. Maybe it helps other people or can be used for cross-referencing.
When the Web Editor sets up the authorization code flow, it strips trailing slashes from the current page's URL to construct the redirect URI. This is done if I understand correctly from by openeo-js-client at https://github.com/Open-EO/openeo-js-client/blob/3c83cf0a28e5026e413cf5c7fdd37d0e559e5609/src/oidcprovider.js#L346-L357:
For example if you host the web editor at https://example.com/ (note the trailing slash), the redirect URI that will be passed through in the OIDC auth code dance will be
https://example.comwithout trailing slash. So in the redirect URI allow list of your OIDC client configuration, you should havehttps://example.com(without trailing slash). (Same actually for the "web origin"