Instead of configuring a `landing_page`, could the authservice send the user back to the original request path that initiated the oauth authorize flow?

[cfryanr]

If I visit example.com/some_path and the authservice decides that it needs to redirect me to an IDP to login and get tokens, could the authservice send me back to example.com/some_path after it obtains the tokens?

At first glance it would appear that this would require some kind of state to be stored in the authservice. But is there another way? For example, could this state be put into another browser cookie to avoid storing the state server-side?

[nickrmc83]

~One of the issues with redirecting the user back to their original destination is leaking information about the content the user is browsing to the IdP. If we can discount this as a potential security threat we can probably just encode the original destination in the state cookie.~

Actually, we could place the original destination in the state cookie and redirect the user there. I'm not sure about the UX for this though particularly if the first request was a POST/PUT/DELETE and not a GET. What would the expected behaviour be?