Direct Moodle activity links lose wantsurl after Microsoft/OIDC login

[rousb353]

After updating to release 4.5.6, direct Moodle activity links no longer preserve the original wantsurl after Microsoft / OpenID Connect login.

Description

When a user opens a direct link to a protected Moodle activity, for example https://example.com/mod/quiz/view.php?id=7209, the previous behavior was:

Direct activity link -> Moodle login -> Microsoft login -> back to the activity

The current behavior is:

Direct activity link -> Moodle login -> Microsoft login -> Moodle default page

The user is authenticated successfully, but the original activity URL is lost. Manual Moodle authentication still redirects correctly, so the issue seems specific to the Microsoft / OpenID Connect login flow.

Environment

• Moodle: 4.5.11+
• auth_oidc: 4.5.6
• local_o365: 4.5.6
• Login flow: authcode
• forceredirect: disabled
• silentloginmode: disabled
• forcelogin: disabled
• alternateloginurl: empty
• Auto-login guests: disabled

Workaround tested successfully

We were able to fix the issue by preserving $SESSION->wantsurl in the existing OIDC state additional data, then restoring it after the OIDC callback before the final redirect.

File: auth/oidc/classes/loginflow/authcode.php

After $stateparams = ['forceflow' => 'authcode'];, add:

if (!empty($SESSION->wantsurl) && strpos($SESSION->wantsurl, $CFG->wwwroot) === 0) { $stateparams['wantsurl'] = $SESSION->wantsurl; }

After $this->handlelogin($oidcuniqid, $authparams, $tokenparams, $idtoken);, add:

if (!empty($additionaldata['wantsurl']) && strpos($additionaldata['wantsurl'], $CFG->wwwroot) === 0) { $SESSION->wantsurl = $additionaldata['wantsurl']; }

After purging Moodle caches, direct activity links correctly redirect back to the original activity after Microsoft login.

Expected behavior

After Microsoft / OpenID Connect authentication, users should be redirected back to the original Moodle URL stored in wantsurl.

Actual behavior

Users are redirected to the Moodle default page instead of the original activity.

Security note

The workaround validates that the restored URL starts with $CFG->wwwroot before assigning it back to $SESSION->wantsurl, to avoid open redirect issues.

[weilai-irl]

Hi @rousb353

Thank you for reporting the issue.

We couldn't recreate the issue, but our investigation revealed that whether wantsurl is retained may be affected by the session management configuration of the site. A safer solution is to save the wantsurl into OIDC state data. Please test the solution provided in the linked PR and see if it works.

Regards,
Lai

[rousb353]

I tested the PR solution.

The PR fixes the issue on our site. Direct activity links now correctly return to the original activity after Microsoft / OpenID Connect login.

This confirms that preserving wantsurl in the OIDC state data resolves the problem in our environment.

Thank you for the quick fix.

Regards,
Benoît

[weilai-irl]

Hi @rousb353

Thank you for your confirmation.

Regards,
Lai

[weilai-irl]

Hi @rousb353

If you don't mind, I'll keep this one open until the fix is released. ETA next 4 weeks.

Regards,
Lai

[bts0004]

Confirming that this issue affects my installation as well - Moodle 5.1.4 / auth_oidc 5.1.1.

These are the fixes that worked for me when I was troubleshooting:

$stateparams = ['forceflow' => 'authcode'];
// Preserve wantsurl across OAuth round-trip.
if (isset($SESSION->wantsurl)) {
    $stateparams['wantsurl'] = $SESSION->wantsurl;
}

and

// Capture wantsurl from state before session regeneration during handlelogin.
$wantsurl = null;
if (!empty($additionaldata['wantsurl']) && (strpos($additionaldata['wantsurl'], $CFG->wwwroot) === 0)) {
    $wantsurl = $additionaldata['wantsurl'];
}
$this->handlelogin($oidcuniqid, $authparams, $tokenparams, $idtoken);
// ... (sid record insertion) ...
redirect(!empty($wantsurl) ? new moodle_url($wantsurl) : core_login_get_return_url());