Skip to content

Commit

Permalink
Use the current address as the default target link URI when Authentic…
Browse files Browse the repository at this point in the history 
…ationProperties.RedirectUri is not set
  • Loading branch information
@kevinchalet
kevinchalet committed Aug 30, 2024
1 parent 1fed458 commit 52b6237
Show file tree
Hide file tree
Showing 2 changed files with 66 additions and 4 deletions.
38 changes: 36 additions & 2 deletions src/OpenIddict.Client.AspNetCore/OpenIddictClientAspNetCoreHandlers.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -564,6 +564,11 @@ public ValueTask HandleAsync(ProcessChallengeContext context)
throw new ArgumentNullException(nameof(context));
}

// This handler only applies to ASP.NET Core requests. If the HTTP context cannot be resolved,
// this may indicate that the request was incorrectly processed by another server stack.
var request = context.Transaction.GetHttpRequest() ??
throw new InvalidOperationException(SR.GetResourceString(SR.ID0114));

var properties = context.Transaction.GetProperty<AuthenticationProperties>(typeof(AuthenticationProperties).FullName!);
if (properties is { Items.Count: > 0 })
{
Expand All @@ -575,7 +580,19 @@ public ValueTask HandleAsync(ProcessChallengeContext context)
context.RegistrationId = GetProperty(properties, Properties.RegistrationId);
context.ResponseMode = GetProperty(properties, Properties.ResponseMode);
context.ResponseType = GetProperty(properties, Properties.ResponseType);
context.TargetLinkUri = properties.RedirectUri;

context.TargetLinkUri = properties.RedirectUri switch
{
// If a return URL - local or not - was explicitly set in the authentication properties, always honor it.
{ Length: > 0 } uri => uri,

// If no return URL was explicitly set in the authentication properties (e.g because
// the challenge was triggered automatically by ASP.NET Core or because no return URL
// was specified by the user), use the current location as the default target link URI.
_ => (request.HttpContext.Features.Get<IAuthenticationFeature>()?.OriginalPathBase ?? request.PathBase) +
(request.HttpContext.Features.Get<IAuthenticationFeature>()?.OriginalPath ?? request.Path) +
request.QueryString
};

if (properties.Items.TryGetValue(Properties.Issuer, out string? issuer) && !string.IsNullOrEmpty(issuer))
{
Expand Down Expand Up @@ -880,14 +897,31 @@ public ValueTask HandleAsync(ProcessSignOutContext context)
throw new ArgumentNullException(nameof(context));
}

// This handler only applies to ASP.NET Core requests. If the HTTP context cannot be resolved,
// this may indicate that the request was incorrectly processed by another server stack.
var request = context.Transaction.GetHttpRequest() ??
throw new InvalidOperationException(SR.GetResourceString(SR.ID0114));

var properties = context.Transaction.GetProperty<AuthenticationProperties>(typeof(AuthenticationProperties).FullName!);
if (properties is { Items.Count: > 0 })
{
context.IdentityTokenHint = GetProperty(properties, Properties.IdentityTokenHint);
context.LoginHint = GetProperty(properties, Properties.LoginHint);
context.ProviderName = GetProperty(properties, Properties.ProviderName);
context.RegistrationId = GetProperty(properties, Properties.RegistrationId);
context.TargetLinkUri = properties.RedirectUri;

context.TargetLinkUri = properties.RedirectUri switch
{
// If a return URL - local or not - was explicitly set in the authentication properties, always honor it.
{ Length: > 0 } uri => uri,

// If no return URL was explicitly set in the authentication properties (e.g because
// the challenge was triggered automatically by ASP.NET Core or because no return URL
// was specified by the user), use the current location as the default target link URI.
_ => (request.HttpContext.Features.Get<IAuthenticationFeature>()?.OriginalPathBase ?? request.PathBase) +
(request.HttpContext.Features.Get<IAuthenticationFeature>()?.OriginalPath ?? request.Path) +
request.QueryString
};

if (properties.Items.TryGetValue(Properties.Issuer, out string? issuer) && !string.IsNullOrEmpty(issuer))
{
Expand Down
32 changes: 30 additions & 2 deletions src/OpenIddict.Client.Owin/OpenIddictClientOwinHandlers.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -573,6 +573,11 @@ public ValueTask HandleAsync(ProcessChallengeContext context)
throw new ArgumentNullException(nameof(context));
}

// This handler only applies to OWIN requests. If the HTTP context cannot be resolved,
// this may indicate that the request was incorrectly processed by another server stack.
var request = context.Transaction.GetOwinRequest() ??
throw new InvalidOperationException(SR.GetResourceString(SR.ID0120));

var properties = context.Transaction.GetProperty<AuthenticationProperties>(typeof(AuthenticationProperties).FullName!);
if (properties is not { Dictionary.Count: > 0 })
{
Expand All @@ -587,7 +592,16 @@ public ValueTask HandleAsync(ProcessChallengeContext context)
context.RegistrationId = GetProperty(properties, Properties.RegistrationId);
context.ResponseMode = GetProperty(properties, Properties.ResponseMode);
context.ResponseType = GetProperty(properties, Properties.ResponseType);
context.TargetLinkUri = properties.RedirectUri;

context.TargetLinkUri = properties.RedirectUri switch
{
// If a return URL - local or not - was explicitly set in the authentication properties, always honor it.
{ Length: > 0 } uri => uri,

// If no return URL was explicitly set in the authentication properties (e.g because no return
// URL was specified by the user), use the current address as the default target link URI.
_ => request.PathBase + request.Path + request.QueryString
};

if (properties.Dictionary.TryGetValue(Properties.Issuer, out string? issuer) && !string.IsNullOrEmpty(issuer))
{
Expand Down Expand Up @@ -915,6 +929,11 @@ public ValueTask HandleAsync(ProcessSignOutContext context)
throw new ArgumentNullException(nameof(context));
}

// This handler only applies to OWIN requests. If the HTTP context cannot be resolved,
// this may indicate that the request was incorrectly processed by another server stack.
var request = context.Transaction.GetOwinRequest() ??
throw new InvalidOperationException(SR.GetResourceString(SR.ID0120));

var properties = context.Transaction.GetProperty<AuthenticationProperties>(typeof(AuthenticationProperties).FullName!);
if (properties is not { Dictionary.Count: > 0 })
{
Expand All @@ -925,7 +944,16 @@ public ValueTask HandleAsync(ProcessSignOutContext context)
context.LoginHint = GetProperty(properties, Properties.LoginHint);
context.ProviderName = GetProperty(properties, Properties.ProviderName);
context.RegistrationId = GetProperty(properties, Properties.RegistrationId);
context.TargetLinkUri = properties.RedirectUri;

context.TargetLinkUri = properties.RedirectUri switch
{
// If a return URL - local or not - was explicitly set in the authentication properties, always honor it.
{ Length: > 0 } uri => uri,

// If no return URL was explicitly set in the authentication properties (e.g because no return
// URL was specified by the user), use the current address as the default target link URI.
_ => request.PathBase + request.Path + request.QueryString
};

if (properties.Dictionary.TryGetValue(Properties.Issuer, out string? issuer) && !string.IsNullOrEmpty(issuer))
{
Expand Down

0 comments on commit 52b6237

Please sign in to comment.