Add support for client-side OIDC redirect by UUID

app/controllers/openid_connect/authorization_controller.rb

@@ -76,7 +76,10 @@ def handle_successful_handoff
       track_events
       SpHandoffBounce::AddHandoffTimeToSession.call(sp_session)
 
-      redirect_user(@authorize_form.success_redirect_uri)
+      redirect_user(
+        @authorize_form.success_redirect_uri,
+        current_user.uuid,
+      )
 
       delete_branded_experience
     end
@@ -127,7 +130,7 @@ def pre_validate_authorize_form
       if redirect_uri.nil?
         render :error
       else
-        redirect_user(redirect_uri)
+        redirect_user(redirect_uri, current_user&.uuid)
       end
     end
 
@@ -186,15 +189,20 @@ def track_events
       track_billing_events
     end
 
-    def redirect_user(redirect_uri)
-      case IdentityConfig.store.openid_connect_redirect
-      when :client_side
+    def redirect_user(redirect_uri, user_uuid)
+      redirect_method = IdentityConfig.store.openid_connect_redirect_uuid_override_map.fetch(
+        user_uuid,
+        IdentityConfig.store.openid_connect_redirect,
+      )
+
+      case redirect_method
+      when 'client_side'
         @oidc_redirect_uri = redirect_uri
         render(
           'openid_connect/shared/redirect',
           layout: false,
         )
-      when :client_side_js
+      when 'client_side_js'
         @oidc_redirect_uri = redirect_uri
         render(
           'openid_connect/shared/redirect_js',

app/controllers/openid_connect/logout_controller.rb

@@ -30,7 +30,7 @@ def delete
         analytics.logout_initiated(**result.to_h.except(:redirect_uri))
         irs_attempts_api_tracker.logout_initiated(success: result.success?)
 
-        redirect_user(redirect_uri)
+        redirect_user(redirect_uri, current_user&.uuid)
         sign_out
       else
         render :error
@@ -39,15 +39,20 @@ def delete
 
     private
 
-    def redirect_user(redirect_uri)
-      case IdentityConfig.store.openid_connect_redirect
-      when :client_side
+    def redirect_user(redirect_uri, user_uuid)
+      redirect_method = IdentityConfig.store.openid_connect_redirect_uuid_override_map.fetch(
+        user_uuid,
+        IdentityConfig.store.openid_connect_redirect,
+      )
+
+      case redirect_method
+      when 'client_side'
         @oidc_redirect_uri = redirect_uri
         render(
           'openid_connect/shared/redirect',
           layout: false,
         )
-      when :client_side_js
+      when 'client_side_js'
         @oidc_redirect_uri = redirect_uri
         render(
           'openid_connect/shared/redirect_js',
@@ -105,7 +110,7 @@ def handle_successful_logout_request(result, redirect_uri)
 
         sign_out
 
-        redirect_user(redirect_uri)
+        redirect_user(redirect_uri, current_user&.uuid)
       end
     end
 

config/application.yml.default

@@ -211,6 +211,7 @@ minimum_wait_before_another_usps_letter_in_hours: 24
 mx_timeout: 3
 openid_connect_redirect: client_side_js
 openid_connect_content_security_form_action_enabled: false
+openid_connect_redirect_uuid_override_map: '{}'
 otp_delivery_blocklist_maxretry: 10
 otp_valid_for: 10
 otp_expiration_warning_seconds: 150

lib/identity_config.rb

@@ -322,8 +322,12 @@ def self.build_store(config_map)
     config.add(:nonessential_email_banlist, type: :json)
     config.add(
       :openid_connect_redirect,
-      type: :symbol,
-      enum: [:server_side, :client_side, :client_side_js],
+      type: :string,
+      enum: ['server_side', 'client_side', 'client_side_js'],
+    )
+    config.add(
+      :openid_connect_redirect_uuid_override_map,
+      type: :json,
     )
     config.add(:openid_connect_content_security_form_action_enabled, type: :boolean)
     config.add(:otp_delivery_blocklist_findtime, type: :integer)