Index: openacs-4/packages/xooauth/www/github-login-handler.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/xooauth/www/github-login-handler.tcl,v
diff -u -r1.1.2.1 -r1.1.2.2
--- openacs-4/packages/xooauth/www/github-login-handler.tcl	8 May 2023 17:37:52 -0000	1.1.2.1
+++ openacs-4/packages/xooauth/www/github-login-handler.tcl	11 May 2023 16:43:57 -0000	1.1.2.2
@@ -17,35 +17,33 @@
 set name [$auth_obj name]
 set title "$name Authorization"
 
-set login_url [$auth_obj login_url]
+set login_url [$auth_obj login_url -return_url [ns_queryget return_url]]
 set logout_url [$auth_obj logout_url]
 set data ""
 
 if {[ns_queryget code] ne ""} {
-   set data [$auth_obj perform_login -token [ns_queryget code]]
+    set data [$auth_obj perform_login \
+                  -token [ns_queryget code] \
+                  -state [ns_queryget state]]
 }
 
 if {![$auth_obj cget -debug]
     && [dict exists $data user_id]
     && [dict get $data user_id] > 0
 } {
-        #
-        # Login was performed, just redirect to the right place.
-        #
-        # We can use "state" on azure as redirect URL (since it has a
-        # nonce), but on the GitHub description, it says clearly, that
-        # it should be an unguessable random string...  Maybe, we can
-        # cookup later some compromise.
-        #
-        #set redirect_url [ns_queryget state \
-        #                      [$auth_obj cget -after_successful_login_url]]
-        set redirect_url [$auth_obj cget -after_successful_login_url]
-        if {[string range $redirect_url 0 0] eq "/"} {
-            ad_returnredirect $redirect_url
-        } else {
-            ns_log warning "OAuth redirect URL looks suspicious: '$redirect_url'"
-        }
-        ad_script_abort
+    #
+    # Login was performed, just redirect to the right place.
+    #
+    set return_url [$auth_obj cget -after_successful_login_url]
+    if {[dict exists $data decoded_state return_url]} {
+        set return_url [dict get $data decoded_state return_url]
+    }
+    if {[string range $return_url 0 0] ne "/"} {
+        ns_log warning "OAuth redirect URL looks suspicious: '$return_url'"
+        set return_url /pvt
+    }
+    ad_returnredirect $return_url
+    ad_script_abort
 }
 
 if {1 || $swa_p} {
@@ -76,3 +74,10 @@
 
     set error [dict get $data error]
 }
+
+#
+# Local variables:
+#    mode: tcl
+#    tcl-indent-level: 4
+#    indent-tabs-mode: nil
+# End