Location header returns / path if /authenticate-code/callback is called when Login URL contains a (.) (dot) in parameters

Describe the bug?

Location gets empty path if /authenticate-code/callback is called when Login URL contains a (.) (dot) in parameters.

When unauthenticated users tries to ping url ( https://example.com/software/1.2.3 ) in the browser, normal oidc login flow starts and /autheticated-code/callback gets called once user is authenticated in OKTA but location header in /authenticate-code/callback response gets blank ( / ). Means Location header in response returns / instead of returning /software/1.2.3.

Refer to the attached screenshot below.

However, if url does not contain any (dot) then exact location header are received.

What is expected to happen?

Expected behaviour is to receive in location header in /authenticate-code/callback response the exact value whatever is passed in the path parameter of the url. Means even if url contains (dot) in path parameters, exact path parameter value should receive in location header.

eg.

if user pings login url https://example.com/test/1.2.3

then /authenticate-code/callback should return Location: /test/1.2.3

What is the actual behavior?

But in actual, location header is being returned / instead of /test/1.2.3 eg.

if user pings login url https://example.com/test/1.2.3

then /authenticate-code/callback returns Location: /

Reproduction Steps?

You just need to add path parameters which contains (.) (dot) in login url such as https://example.com/test/1.2.3 and notice when /authenticate-code/callback is called and check location header in the response, it would be empty ( / ).

SDK Versions

"@okta/oidc-middleware": "5.0.0",

Execution Environment

Platform: NodeJS OS: Windows, Mac

Additional Information?

No response

okta / okta-oidc-middleware