search

dominik-th / matomo-plugin-LoginOIDC

external authentication services for matomo
https://plugins.matomo.org/LoginOIDC/
GNU General Public License v3.0
40 stars 29 forks source link

OIDC standard does not allow query parameters in redirect URI #77

Closed lscorcia closed 1 year ago

lscorcia commented 1 year ago

Hi, according to the thorough explanation at https://stackoverflow.com/a/55577647/10564068 , the OIDC specifications do not allow query parameters in redirect URIs. Some OIDC IDPs enforce this, others dont. Unfortunately, mine does and this plugin does not work :(

Any idea on how to work around the issue? Maybe an hardcoded php file which just redirects to the complete URL handler?

lscorcia commented 1 year ago

So, for posterity, I solved this with the following entry in the apache site conf:

<IfModule mod_ssl.c>
  <VirtualHost _default_:443>
  ...
    <IfModule mod_rewrite.c>
      # Tell PHP that the mod_rewrite module is ENABLED.
      SetEnv HTTP_MOD_REWRITE On

      RewriteEngine on

      # QSA = Merge query strings, R = Permanent redirect
      RewriteRule /oidc/callback /index.php?module=LoginOIDC&action=callback&provider=oidc [QSA,R]
    </IfModule>
</VirtualHost>
</IfModule>

Then, in the OIDC plugin settings I set the Redirect URI override parameter to https://my.domain/oidc/callback . Seems to be working fine.