drwonky
commented
1 year ago See PR #364 for additional context. This is me cleaning up that PR, even if it's 3 years later :wink:
If I can remember rightly, this fix was needed because the flow should go to the LOGIN_REDIRECT_URL after re-authenticating. The problem is that if you catch the re-auths in your application, you don't want the browser being redirected to the REST endpoint that triggered the re-auth after authenticating. It would break the contract with the application.
Moved the oidc_login_next to below the AJAX return, this means AJAX requests will be redirected to the LOGIN_REDIRECT_URL instead of the API endpoint that generated the session refresh.