fix OIDC login redirect flow

[jesielviana]

References

• Fixes OIDC authentication fails to redirect to originally requested page (redirects to /home instead) DSpace#12133

Description

This change fixes the post-login redirect behavior for external authentication providers that rely on a nested callback URL, such as OIDC and ORCID.

Instructions for Reviewers

Root Cause
The logic in AuthService.getExternalServerRedirectUrl() only handled this case: .../login?redirectUrl=<ui-route>
It did not handle this case: https://provider.example/authorize?...&redirect_uri=https://rest.example/api/authn/oidc
As a result, OIDC/ORCID callbacks reached the backend without the intended redirectUrl.

Implementation
The redirect URL handling was updated in src/app/core/auth/auth.service.ts to support three scenarios:

1. If the external URL already has a top-level redirectUrl, replace it.
2. If the external URL has a redirect_uri, append the requested page as redirectUrl to that nested callback URL.
3. If neither parameter exists, add a top-level redirectUrl.

The implementation also preserves existing query parameters already present on the nested redirect_uri.

List of changes in this PR:

1. Redirect URL handling: src/app/core/auth/auth.service.ts
   Updated getExternalServerRedirectUrl() so that it:

• parses the external login URL with URL
• rewrites a top-level redirectUrl when present
• injects redirectUrl into nested redirect_uri values for OIDC/ORCID
• preserves hashes and existing query parameters
• returns either an absolute URL or a path-relative URL, depending on the original input

2. Unit tests: src/app/core/auth/auth.service.spec.ts
   Added coverage for:

• replacing a top-level redirectUrl
• injecting redirectUrl into a nested redirect_uri
• preserving existing nested query parameters when injecting redirectUrl

Checklist

This checklist provides a reminder of what we are going to look for when reviewing your PR. You do not need to complete this checklist prior creating your PR (draft PRs are always welcome).
However, reviewers may request that you complete any actions in this list if you have not done so. If you are unsure about an item in the checklist, don't hesitate to ask. We're here to help!

• My PR is created against the main branch of code (unless it is a backport or is fixing an issue specific to an older branch).
• My PR is small in size (e.g. less than 1,000 lines of code, not including comments & specs/tests), or I have provided reasons as to why that's not possible.
• My PR passes ESLint validation using npm run lint
• My PR doesn't introduce circular dependencies (verified via npm run check-circ-deps)
• My PR includes TypeDoc comments for all new (or modified) public methods and classes. It also includes TypeDoc for large or complex private methods.
• My PR passes all specs/tests and includes new/updated specs or tests based on the Code Testing Guide.
• My PR aligns with Accessibility guidelines if it makes changes to the user interface.
• My PR uses i18n (internationalization) keys instead of hardcoded English text, to allow for translations.
• My PR includes details on how to test it. I've provided clear instructions to reviewers on how to successfully test this fix or feature.
• If my PR includes new libraries/dependencies (in package.json), I've made sure their licenses align with the DSpace BSD License based on the Licensing of Contributions documentation.
• If my PR includes new features or configurations, I've provided basic technical documentation in the PR itself.
• If my PR fixes an issue ticket, I've linked them together.

[Copilot]

Pull request overview

Fixes external authentication post-login redirect handling by correctly propagating the UI redirect route through both top-level redirectUrl parameters and nested OIDC/ORCID-style redirect_uri callback URLs.

Changes:

• Update AuthService.getExternalServerRedirectUrl() to parse & rewrite external login URLs (including nested redirect_uri) while preserving query/hash.
• Add unit tests covering top-level redirectUrl replacement, nested redirect_uri injection, and preservation of nested query params.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
src/app/core/auth/auth.service.ts	Reworks external redirect URL rewriting to support nested callback (redirect_uri) scenarios for OIDC/ORCID.
src/app/core/auth/auth.service.spec.ts	Adds specs validating the new redirect URL rewriting behavior.

Comments suppressed due to low confidence (1)

src/app/core/auth/auth.service.ts:30

• Cookies import was removed, but this file still references Cookies.CookieAttributes (e.g., when setting cookie options). This will cause a TypeScript compile error (Cannot find name 'Cookies'). Re-add the import as a type-only import (e.g., import type Cookies from 'js-cookie') or switch the annotations to use the project’s cookie option type without relying on Cookies here.

  Store,
} from '@ngrx/store';
import { TranslateService } from '@ngx-translate/core';
import {
  Observable,
  of,
} from 'rxjs';
import {

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

[lgeggleston]

@jesielviana Thank you for creating this! You may have seen already, but note it's currently failing one of the unit tests.

We can try to port this since it was reported on 8.x, and I added 7.x in case that works as well.

[tinsch]

Hey @jesielviana, I was wondering if we maybe could fix the root cause of this issue, having two different redirect URL param names? Would it be an option use only redirect_uri and handle the relative path issues somehow? Apologies if you already tried that option and it did not work.

[jesielviana]

Good point @tinsch, I haven’t tried that approach yet. If you’d like to give it a try, that would be great.