Preserve target route post-auth

Redirect users back to the page they asked for after authentication using a signed return URL

Users may bookmark specific pages of your app, but their session might be expired. They need to be redirected to the page they asked for after authentication. That means your app needs to preserve the user’s original destination.

You will capture the user’s original destination, carry it through the OAuth flow safely, and redirect back after login. You will prevent open-redirect attacks by validating and signing the return URL.

Capture the intended destination
Section titled “Capture the intended destination”

When an unauthenticated user requests a protected route, capture its path.
Express.js
1 app.get('/login', (req, res) => { 2 const nextPath = typeof req.query.next === 'string' ? req.query.next : '/' 3 // Only allow internal paths 4 const safe = nextPath.startsWith('/') && !nextPath.startsWith('//') ? nextPath : '/' 5 res.cookie('sk_return_to', safe, { httpOnly: true, secure: true, sameSite: 'lax', path: '/' }) 6 // build authorization URL next 7 })
Flask
1 @app.route('/login') 2 def login(): 3 next_path = request.args.get('next', '/') 4 safe = next_path if next_path.startswith('/') and not next_path.startswith('//') else '/' 5 resp = make_response() 6 resp.set_cookie('sk_return_to', safe, httponly=True, secure=True, samesite='Lax', path='/') 7 return resp
Gin
1 func login(c *gin.Context) { 2 nextPath := c.Query("next") 3 if nextPath == "" || !strings.HasPrefix(nextPath, "/") || strings.HasPrefix(nextPath, "//") { 4 nextPath = "/" 5 } 6 cookie := &http.Cookie{Name: "sk_return_to", Value: nextPath, HttpOnly: true, Secure: true, Path: "/"} 7 http.SetCookie(c.Writer, cookie) 8 }
Spring
1 @GetMapping("/login") 2 public void login(HttpServletRequest request, HttpServletResponse response) { 3 String nextPath = Optional.ofNullable(request.getParameter("next")).orElse("/"); 4 boolean safe = nextPath.startsWith("/") && !nextPath.startsWith("//"); 5 Cookie cookie = new Cookie("sk_return_to", safe ? nextPath : "/"); 6 cookie.setHttpOnly(true); cookie.setSecure(true); cookie.setPath("/"); 7 response.addCookie(cookie); 8 }
If you access req.cookies in Node.js, enable cookie parsing middleware (for example, cookie-parser) early in your server setup.

Build the authorization URL

Generate the authorization URL as in the quickstart. Optionally include a short hint in state like "n=/billing" after signing or encoding.

1
const redirectUri = 'https://your-app.com/auth/callback'
2
const options = { scopes: ['openid','profile','email','offline_access'] }
3
const authorizationUrl = scalekit.getAuthorizationUrl(redirectUri, options)
4
res.redirect(authorizationUrl)

1
redirect_uri = 'https://your-app.com/auth/callback'
2
options = AuthorizationUrlOptions(scopes=['openid','profile','email','offline_access'])
3
authorization_url = scalekit_client.get_authorization_url(redirect_uri, options)
4
return redirect(authorization_url)

1
redirectUri := "https://your-app.com/auth/callback"
2
options := scalekitClient.AuthorizationUrlOptions{Scopes: []string{"openid","profile","email","offline_access"}}
3
authorizationURL, _ := scalekitClient.GetAuthorizationUrl(redirectUri, options)
4
c.Redirect(http.StatusFound, authorizationURL.String())

1
String redirectUri = "https://your-app.com/auth/callback";
2
AuthorizationUrlOptions options = new AuthorizationUrlOptions();
3
options.setScopes(Arrays.asList("openid","profile","email","offline_access"));
4
URL authorizationUrl = scalekitClient.authentication().getAuthorizationUrl(redirectUri, options);
5
return new RedirectView(authorizationUrl.toString());

After callback, redirect safely

After exchanging the code and creating a session, read sk_return_to. Validate and normalize the path. Default to /dashboard or /.

1
app.get('/auth/callback', async (req, res) => {
2
  // ... exchange code ...
3
  const raw = req.cookies.sk_return_to || '/'
4
  const safe = raw.startsWith('/') && !raw.startsWith('//') ? raw : '/'
5
  res.clearCookie('sk_return_to', { path: '/' })
6
  res.redirect(safe || '/dashboard')
7
})

1
def callback():
2
    # ... exchange code ...
3
    raw = request.cookies.get('sk_return_to', '/')
4
    safe = raw if raw.startswith('/') and not raw.startswith('//') else '/'
5
    resp = redirect(safe or '/dashboard')
6
    resp.delete_cookie('sk_return_to', path='/')
7
    return resp

1
func callback(c *gin.Context) {
2
  // ... exchange code ...
3
  raw, _ := c.Cookie("sk_return_to")
4
  if raw == "" || !strings.HasPrefix(raw, "/") || strings.HasPrefix(raw, "//") {
5
    raw = "/"
6
  }
7
  http.SetCookie(c.Writer, &http.Cookie{Name: "sk_return_to", Value: "", MaxAge: -1, Path: "/"})
8
  c.Redirect(http.StatusFound, raw)
9
}

1
public RedirectView callback(HttpServletRequest request, HttpServletResponse response) {
2
  // ... exchange code ...
3
  String raw = getCookie(request, "sk_return_to").orElse("/");
4
  boolean ok = raw.startsWith("/") && !raw.startsWith("//");
5
  Cookie clear = new Cookie("sk_return_to", ""); clear.setPath("/"); clear.setMaxAge(0);
6
  response.addCookie(clear);
7
  return new RedirectView(ok ? raw : "/dashboard");
8
}

Sign return_to values Optional

If you pass return_to via query string or store longer values, compute an HMAC and verify it before redirecting. Reject unsigned or invalid pairs.

1
import crypto from 'crypto'
2
function sign(value, secret) {
3
  const mac = crypto.createHmac('sha256', secret).update(value).digest('base64url')
4
  return `${value}|${mac}`
5
}
6
function verify(signed, secret) {
7
  const [v, mac] = signed.split('|')
8
  const good = crypto.timingSafeEqual(Buffer.from(mac), Buffer.from(sign(v, secret).split('|')[1]))
9
  return good ? v : null
10
}

1
import hmac, hashlib, base64
2
def sign(value: str, secret: bytes) -> str:
3
    mac = hmac.new(secret, value.encode(), hashlib.sha256).digest()
4
    return f"{value}|{base64.urlsafe_b64encode(mac).decode().rstrip('=')}"
5
def verify(signed: str, secret: bytes) -> str | None:
6
    try:
7
        value, mac = signed.split('|', 1)
8
        expected = sign(value, secret).split('|', 1)[1]
9
        if hmac.compare_digest(mac, expected):
10
            return value
11
    except Exception:
12
        pass
13
    return None

1
import (
2
  "crypto/hmac"
3
  "crypto/sha256"
4
  "encoding/base64"
5
)
6
func sign(value string, secret []byte) string {
7
  mac := hmac.New(sha256.New, secret)
8
  mac.Write([]byte(value))
9
  sum := mac.Sum(nil)
10
  return value + "|" + base64.RawURLEncoding.EncodeToString(sum)
11
}
12
func verify(signed string, secret []byte) *string {
13
  parts := strings.SplitN(signed, "|", 2)
14
  if len(parts) != 2 { return nil }
15
  expected := strings.SplitN(sign(parts[0], secret), "|", 2)[1]
16
  if hmac.Equal([]byte(parts[1]), []byte(expected)) {
17
    return &parts[0]
18
  }
19
  return nil
20
}

1
import javax.crypto.Mac;
2
import javax.crypto.spec.SecretKeySpec;
3
import java.util.Base64;
4
String sign(String value, byte[] secret) throws Exception {
5
  Mac mac = Mac.getInstance("HmacSHA256");
6
  mac.init(new SecretKeySpec(secret, "HmacSHA256"));
7
  byte[] raw = mac.doFinal(value.getBytes(StandardCharsets.UTF_8));
8
  String b64 = Base64.getUrlEncoder().withoutPadding().encodeToString(raw);
9
  return value + "|" + b64;
10
}
11
String verify(String signed, byte[] secret) throws Exception {
12
  String[] parts = signed.split("\\|", 2);
13
  if (parts.length != 2) return null;
14
  String expected = sign(parts[0], secret).split("\\|", 2)[1];
15
  return MessageDigest.isEqual(parts[1].getBytes(StandardCharsets.UTF_8), expected.getBytes(StandardCharsets.UTF_8)) ? parts[0] : null;
16
}