diff --git a/authentik/core/sources/flow_manager.py b/authentik/core/sources/flow_manager.py index 58546f4973..c5a92d9a87 100644 --- a/authentik/core/sources/flow_manager.py +++ b/authentik/core/sources/flow_manager.py @@ -36,6 +36,7 @@ from authentik.flows.planner import ( ) from authentik.flows.stage import StageView from authentik.flows.views.executor import NEXT_ARG_NAME, SESSION_KEY_GET +from authentik.lib.utils.urls import is_url_absolute from authentik.lib.views import bad_request_message from authentik.policies.denied import AccessDeniedResponse from authentik.policies.utils import delete_none_values @@ -208,6 +209,8 @@ class SourceFlowManager: final_redirect = self.request.session.get(SESSION_KEY_GET, {}).get( NEXT_ARG_NAME, "authentik_core:if-user" ) + if not is_url_absolute(final_redirect): + final_redirect = "authentik_core:if-user" flow_context.update( { # Since we authenticate the user by their token, they have no backend set diff --git a/authentik/sources/saml/views.py b/authentik/sources/saml/views.py index 07fc6f859c..3f54f029fc 100644 --- a/authentik/sources/saml/views.py +++ b/authentik/sources/saml/views.py @@ -33,6 +33,7 @@ from authentik.flows.planner import ( ) from authentik.flows.stage import ChallengeStageView from authentik.flows.views.executor import NEXT_ARG_NAME, SESSION_KEY_GET, SESSION_KEY_PLAN +from authentik.lib.utils.urls import is_url_absolute from authentik.lib.views import bad_request_message from authentik.providers.saml.utils.encoding import nice64 from authentik.sources.saml.exceptions import MissingSAMLResponse, UnsupportedNameIDFormat @@ -73,6 +74,8 @@ class InitiateView(View): final_redirect = self.request.session.get(SESSION_KEY_GET, {}).get( NEXT_ARG_NAME, "authentik_core:if-user" ) + if not is_url_absolute(final_redirect): + final_redirect = "authentik_core:if-user" kwargs.update( { PLAN_CONTEXT_SSO: True,