feat: add RedirectUriPrefix support to OpenIdConnectConfiguration for sub-path deployments#809
Open
IbrahimMNada wants to merge 4 commits intoelsa-workflows:mainfrom
Open
Conversation
Contributor
Greptile SummaryThis PR adds a
Confidence Score: 4/5Safe to merge for typical deployments; the only risk is a misconfigured prefix (missing leading slash) producing a silently broken redirect URI. Both call sites are updated consistently, and the default behaviour (empty prefix) is unchanged. The main gap is that there is no guard ensuring
|
| Filename | Overview |
|---|---|
| src/modules/Elsa.Studio.Login/Models/OpenIdConnectConfiguration.cs | Adds nullable RedirectUriPrefix property; XML doc comment uses non-standard <b> tag and has a double space, but the property itself is correct. |
| src/modules/Elsa.Studio.Login/Services/OpenIdConnectAuthorizationService.cs | Consistently inserts RedirectUriPrefix in both RedirectToAuthorizationServer and ReceiveAuthorizationCode; no validation that the prefix starts with /, which can silently produce a malformed URI. |
Sequence Diagram
sequenceDiagram
participant User
participant ElsaStudio as Elsa Studio (Blazor)
participant IdP as Identity Provider
User->>ElsaStudio: Navigate to protected page
ElsaStudio->>ElsaStudio: "Build redirect_uri: {origin} + RedirectUriPrefix + /signin-oidc"
ElsaStudio->>IdP: "GET /authorize?redirect_uri=https://myapp.com/workflow/signin-oidc&..."
IdP-->>User: Login page
User->>IdP: Submit credentials
IdP-->>ElsaStudio: "Redirect to https://myapp.com/workflow/signin-oidc?code=..."
ElsaStudio->>ElsaStudio: ReceiveAuthorizationCode() re-builds same redirect_uri with prefix
ElsaStudio->>IdP: POST /token (code + redirect_uri)
IdP-->>ElsaStudio: Access / Refresh / ID tokens
ElsaStudio-->>User: Authenticated, navigate to returnUrl
Prompt To Fix All With AI
Fix the following 2 code review issues. Work through them one at a time, proposing concise fixes.
---
### Issue 1 of 2
src/modules/Elsa.Studio.Login/Services/OpenIdConnectAuthorizationService.cs:24
**Missing leading-slash guard on `RedirectUriPrefix`**
If a user configures `RedirectUriPrefix` without a leading `/` (e.g., `"workflow"` instead of `"/workflow"`), the resulting URI will be malformed: `https://myapp.comworkflow/signin-oidc`. The IdP will reject it with an opaque "invalid redirect_uri" error that is hard to debug. Since the same expression is duplicated in both `RedirectToAuthorizationServer` and `ReceiveAuthorizationCode`, both methods are affected. Adding a trim/normalization step (e.g., ensuring the prefix starts with `/` when non-empty) or at least documenting the expectation in the XML comment would prevent this silent misconfiguration.
### Issue 2 of 2
src/modules/Elsa.Studio.Login/Models/OpenIdConnectConfiguration.cs:23-25
The XML documentation comment has two style issues: a double space in "can be set before", and `<b>` is not a standard C# XML doc element (standard tags are `<c>`, `<para>`, `<em>`, etc.). The `<b>` tag will render inconsistently across documentation generators. Replacing it with `<c>` makes the example render correctly as a code fragment.
```suggestion
/// <summary>
/// A prefix to insert before <c>/signin-oidc</c> when constructing the redirect_uri for the authorization request.
/// Useful for sub-path deployments behind a reverse proxy, e.g. setting this to <c>/workflow</c> produces
/// <c>https://myapp.com/workflow/signin-oidc</c>. The value must start with <c>/</c>. When not set the redirect_uri
/// defaults to <c>{origin}/signin-oidc</c>.
/// </summary>
```
Reviews (1): Last reviewed commit: "remove space" | Re-trigger Greptile
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Purpose
Allow applications using the ElsaLogin OIDC flow to configure a path prefix for the redirect_uri,
enabling correct authentication in sub-path deployments where the IdP enforces a specific redirect_uri format.
Scope
Select one primary concern:
This produces
https://myapp.com/workflow/signin-oidcinstead ofhttps://myapp.com/signin-oidc.When not set, behaviour is unchanged — defaults to
{origin}/signin-oidc.Verification
Steps:
/workflow).Authentication:ElsaLogin:RedirectUriPrefixto/workflowinappsettings.json.https://myapp.com/workflow/signin-oidcas an allowed redirect URI in your IdP(e.g., Azure AD, Keycloak).
Expected outcome: The authorization request is sent with
redirect_uri=https://myapp.com/workflow/signin-oidc, the IdP accepts it, and the user issuccessfully authenticated.
Screenshots / Recordings (if applicable)
N/A — No UI changes. This is a configuration and service-layer change only.
Checklist