From c85b45cff6f13dca33198f08b9a006c197f189cf Mon Sep 17 00:00:00 2001
From: bobby <1544881+desimone@users.noreply.github.com>
Date: Mon, 19 Oct 2020 08:07:51 -0700
Subject: [PATCH] authorize: add redirect url to debug page (#1533)

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
---
 authorize/check_response.go | 21 +++++++++++++++++++--
 1 file changed, 19 insertions(+), 2 deletions(-)

diff --git a/authorize/check_response.go b/authorize/check_response.go
index f117ed583..55b0a6e56 100644
--- a/authorize/check_response.go
+++ b/authorize/check_response.go
@@ -58,15 +58,32 @@ func (a *Authorize) deniedResponse(
 	}
 
 	if returnHTMLError {
-		return a.htmlDeniedResponse(code, reason, headers)
+		return a.htmlDeniedResponse(in, code, reason, headers)
 	}
 	return a.plainTextDeniedResponse(code, reason, headers)
 }
 
-func (a *Authorize) htmlDeniedResponse(code int32, reason string, headers map[string]string) *envoy_service_auth_v2.CheckResponse {
+func (a *Authorize) htmlDeniedResponse(
+	in *envoy_service_auth_v2.CheckRequest,
+	code int32, reason string, headers map[string]string,
+) *envoy_service_auth_v2.CheckResponse {
+
 	opts := a.currentOptions.Load()
 	debugEndpoint := opts.GetAuthenticateURL().ResolveReference(&url.URL{Path: "/.pomerium/"})
 
+	// create go-style http request
+	r := getHTTPRequestFromCheckRequest(in)
+	redirectURL := urlutil.GetAbsoluteURL(r).String()
+	if ref := r.Header.Get(httputil.HeaderReferrer); ref != "" {
+		redirectURL = ref
+	}
+
+	debugEndpoint = debugEndpoint.ResolveReference(&url.URL{
+		RawQuery: url.Values{
+			urlutil.QueryRedirectURI: {redirectURL},
+		}.Encode(),
+	})
+
 	var details string
 	switch code {
 	case httputil.StatusInvalidClientCertificate: