CakePHP 3.4 uses query param instead of session for login redirect

[sukihub]

Since CakePHP 3.4, query parameter is being used to store redirect URL for login, instead of session. Using AuthComponent's redirectUrl() to store it no longer works.

Also, to be more "Cake-ish", we should let AuthComponent handle login redirect. That is easily done by setting authorize action as denied.

OAuth spec however requires to validate OAuth params (client_id, redirect_uri, ...) before login redirect, so I moved these into beforeFilter.

Since change is using default Cake behavior, it should even be 3.3 compatible, did not test it though.

[sukihub]

The test fails on CakePHP 3.3, because redirect URL is not stored in URL and the test expects it there, but it should work.

I would leave the test like this, to be sure that redirection works in the future.

[dakota]

Thank you

[klickagent]

Hi. I cannot get the authorize site to work properly. If the user is not logged in there is no redirect to the login page after updating to cakephp 3.4. Help highly appreciated.