move into conern

app/controllers/application_controller.rb

@@ -494,15 +494,4 @@ def handle_banned_user
     sign_out
     redirect_to banned_user_url
   end
-
-  def oidc_redirect_method(issuer:, user_uuid:)
-    user_redirect_method_override =
-      IdentityConfig.store.openid_connect_redirect_uuid_override_map[user_uuid]
-
-    sp_redirect_method_override =
-      IdentityConfig.store.openid_connect_redirect_issuer_override_map[issuer]
-
-    user_redirect_method_override || sp_redirect_method_override ||
-      IdentityConfig.store.openid_connect_redirect
-  end
 end

app/controllers/concerns/secure_headers_concern.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 module SecureHeadersConcern
+  include OpenidConnectRedirectConcern
   extend ActiveSupport::Concern
 
   def apply_secure_headers_override
@@ -9,11 +10,10 @@ def apply_secure_headers_override
     authorize_form = OpenidConnectAuthorizeForm.new(authorize_params)
     return unless authorize_form.valid?
 
-    return if !IdentityConfig.store.openid_connect_content_security_form_action_enabled &&
-              oidc_redirect_method(
-                issuer: authorize_form.service_provider.issuer,
-                user_uuid: current_user&.uuid,
-              ) != 'server_side'
+    return if form_action_csp_disabled_and_not_server_side_redirect?(
+      issuer: authorize_form.service_provider.issuer,
+      user_uuid: current_user&.uuid,
+    )
 
     override_form_action_csp(csp_uris)
   end

app/controllers/openid_connect/authorization_controller.rb

@@ -9,6 +9,7 @@ class AuthorizationController < ApplicationController
     include AuthorizationCountConcern
     include BillableEventTrackable
     include ForcedReauthenticationConcern
+    include OpenidConnectRedirectConcern
 
     before_action :build_authorize_form_from_params, only: [:index]
     before_action :block_biometric_requests_in_production, only: [:index]
@@ -137,13 +138,10 @@ def build_authorize_form_from_params
     end
 
     def secure_headers_override
-      if !IdentityConfig.store.openid_connect_content_security_form_action_enabled &&
-         oidc_redirect_method(
-           issuer: @authorize_form.service_provider.issuer,
-           user_uuid: current_user&.id,
-         ) != 'server_side'
-        return
-      end
+      return if form_action_csp_disabled_and_not_server_side_redirect?(
+        issuer: @authorize_form.service_provider.issuer,
+        user_uuid: current_user&.uuid,
+      )
 
       csp_uris = SecureHeadersAllowList.csp_with_sp_redirect_uris(
         @authorize_form.redirect_uri,

app/controllers/openid_connect/logout_controller.rb

@@ -4,6 +4,7 @@ module OpenidConnect
   class LogoutController < ApplicationController
     include SecureHeadersConcern
     include FullyAuthenticatable
+    include OpenidConnectRedirectConcern
 
     before_action :set_devise_failure_redirect_for_concurrent_session_logout, only: [:index]
     before_action :confirm_two_factor_authenticated, only: [:delete]
@@ -68,13 +69,10 @@ def redirect_user(redirect_uri, issuer, user_uuid)
 
     def apply_logout_secure_headers_override(redirect_uri, service_provider)
       return if service_provider.nil? || redirect_uri.nil?
-      if !IdentityConfig.store.openid_connect_content_security_form_action_enabled &&
-         oidc_redirect_method(
-           issuer: service_provider.issuer,
-           user_uuid: current_user&.id,
-         ) != 'server_side'
-        return
-      end
+      return if form_action_csp_disabled_and_not_server_side_redirect?(
+        issuer: service_provider.issuer,
+        user_uuid: current_user&.id,
+      )
 
       uris = SecureHeadersAllowList.csp_with_sp_redirect_uris(
         redirect_uri,