[pull] dev from openiddict:dev

Directory.Build.props

@@ -118,17 +118,17 @@
 
     <NetCoreIOSTargetFrameworks
       Condition=" '$(NetCoreIOSTargetFrameworks)' == '' And '$(SupportsIOSTargeting)' == 'true' ">
-      net8.0-ios17.2
+      net8.0-ios17.5
     </NetCoreIOSTargetFrameworks>
 
     <NetCoreMacCatalystTargetFrameworks
       Condition=" '$(NetCoreMacCatalystTargetFrameworks)' == '' And '$(SupportsMacCatalystTargeting)' == 'true' ">
-      net8.0-maccatalyst17.2
+      net8.0-maccatalyst17.5
     </NetCoreMacCatalystTargetFrameworks>
 
     <NetCoreMacOSTargetFrameworks
       Condition=" '$(NetCoreMacOSTargetFrameworks)' == '' And '$(SupportsMacOSTargeting)' == 'true' ">
-      net8.0-macos14.2
+      net8.0-macos14.5
     </NetCoreMacOSTargetFrameworks>
 
     <NetCoreWindowsTargetFrameworks

OpenIddict.sln

@@ -84,6 +84,7 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "root", "root", "{F6F3C8E0-B
 		NuGet.config = NuGet.config
 		package-icon.png = package-icon.png
 		README.md = README.md
+		WorkloadRollback.json = WorkloadRollback.json
 	EndProjectSection
 EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "OpenIddict.Validation", "src\OpenIddict.Validation\OpenIddict.Validation.csproj", "{17C10B53-278B-416F-9090-8531179BDF2E}"

WorkloadRollback.json

@@ -0,0 +1,15 @@
+{
+  "microsoft.net.sdk.android": "34.0.113/8.0.100",
+  "microsoft.net.sdk.ios": "17.5.8020/8.0.100",
+  "microsoft.net.sdk.maccatalyst": "17.5.8020/8.0.100",
+  "microsoft.net.sdk.macos": "14.5.8020/8.0.100",
+  "microsoft.net.sdk.maui": "8.0.72/8.0.100",
+  "microsoft.net.sdk.tvos": "17.5.8020/8.0.100",
+  "microsoft.net.workload.mono.toolchain.current": "8.0.8/8.0.100",
+  "microsoft.net.workload.emscripten.current": "8.0.8/8.0.100",
+  "microsoft.net.workload.emscripten.net6": "8.0.8/8.0.100",
+  "microsoft.net.workload.emscripten.net7": "8.0.8/8.0.100",
+  "microsoft.net.workload.mono.toolchain.net6": "8.0.8/8.0.100",
+  "microsoft.net.workload.mono.toolchain.net7": "8.0.8/8.0.100",
+  "microsoft.net.sdk.aspire": "8.1.0/8.0.100"
+}

eng/Tools.props

@@ -5,13 +5,51 @@
   </ItemGroup>
 
   <!--
-    Restore the .NET workloads immediately after the .NET tooling has been installed by Arcade.
+    Install the .NET workloads immediately after the .NET tooling has been installed by Arcade.
+
+    Note: the workload versions are pinned in the WorkloadRollback.json file.
   -->
 
   <Target Name="RestoreWorkloads" AfterTargets="InstallDotNetCore" Condition=" '$(RestoreDotNetWorkloads)' == 'true' ">
     <Message Text="Installing the .NET workloads required to build the solution..." />
 
-    <Exec Command='"$(DotNetTool)" workload restore' WorkingDirectory="$(RepoRoot)" ConsoleToMSBuild="true">
+    <Exec Command='"$(DotNetTool)" workload update --from-rollback-file WorkloadRollback.json'
+          WorkingDirectory="$(RepoRoot)" ConsoleToMSBuild="true">
+      <Output TaskParameter="ConsoleOutput" PropertyName="OutputOfExec" />
+    </Exec>
+
+    <Exec Command='"$(DotNetTool)" workload install android --skip-manifest-update'
+          WorkingDirectory="$(RepoRoot)" ConsoleToMSBuild="true">
+      <Output TaskParameter="ConsoleOutput" PropertyName="OutputOfExec" />
+    </Exec>
+
+    <Exec Command='"$(DotNetTool)" workload install ios --skip-manifest-update'
+          WorkingDirectory="$(RepoRoot)" ConsoleToMSBuild="true"
+          Condition=" $([System.OperatingSystem]::IsMacOS()) Or $([System.OperatingSystem]::IsWindows()) ">
+      <Output TaskParameter="ConsoleOutput" PropertyName="OutputOfExec" />
+    </Exec>
+
+    <Exec Command='"$(DotNetTool)" workload install maccatalyst --skip-manifest-update'
+          WorkingDirectory="$(RepoRoot)" ConsoleToMSBuild="true"
+          Condition=" $([System.OperatingSystem]::IsMacOS()) Or $([System.OperatingSystem]::IsWindows()) ">
+      <Output TaskParameter="ConsoleOutput" PropertyName="OutputOfExec" />
+    </Exec>
+
+    <Exec Command='"$(DotNetTool)" workload install macos --skip-manifest-update'
+          WorkingDirectory="$(RepoRoot)" ConsoleToMSBuild="true"
+          Condition=" $([System.OperatingSystem]::IsMacOS()) Or $([System.OperatingSystem]::IsWindows()) ">
+      <Output TaskParameter="ConsoleOutput" PropertyName="OutputOfExec" />
+    </Exec>
+
+    <Exec Command='"$(DotNetTool)" workload install maui-maccatalyst --skip-manifest-update'
+          WorkingDirectory="$(RepoRoot)" ConsoleToMSBuild="true"
+          Condition=" $([System.OperatingSystem]::IsMacOS()) Or $([System.OperatingSystem]::IsWindows()) ">
+      <Output TaskParameter="ConsoleOutput" PropertyName="OutputOfExec" />
+    </Exec>
+
+    <Exec Command='"$(DotNetTool)" workload install maui-ios --skip-manifest-update'
+          WorkingDirectory="$(RepoRoot)" ConsoleToMSBuild="true"
+          Condition=" $([System.OperatingSystem]::IsMacOS()) Or $([System.OperatingSystem]::IsWindows()) ">
       <Output TaskParameter="ConsoleOutput" PropertyName="OutputOfExec" />
     </Exec>
   </Target>

eng/Versions.props

@@ -2,7 +2,7 @@
 
   <PropertyGroup>
     <MajorVersion>5</MajorVersion>
-    <MinorVersion>8</MinorVersion>
+    <MinorVersion>9</MinorVersion>
     <PatchVersion>0</PatchVersion>
     <VersionPrefix>$(MajorVersion).$(MinorVersion).$(PatchVersion)</VersionPrefix>
     <PreReleaseVersionLabel>preview1</PreReleaseVersionLabel>

sandbox/OpenIddict.Sandbox.Maui.Client/OpenIddict.Sandbox.Maui.Client.csproj

@@ -3,8 +3,8 @@
   <PropertyGroup>
     <OutputType>Exe</OutputType>
     <TargetFrameworks Condition=" '$(SupportsWindowsTargeting)' == 'true' ">net8.0-windows10.0.19041</TargetFrameworks>
-    <TargetFrameworks Condition=" '$(SupportsIOSTargeting)' == 'true' ">$(TargetFrameworks);net8.0-ios17.2</TargetFrameworks>
-    <TargetFrameworks Condition=" '$(SupportsMacCatalystTargeting)' == 'true' ">$(TargetFrameworks);net8.0-maccatalyst17.2</TargetFrameworks>
+    <TargetFrameworks Condition=" '$(SupportsIOSTargeting)' == 'true' ">$(TargetFrameworks);net8.0-ios17.5</TargetFrameworks>
+    <TargetFrameworks Condition=" '$(SupportsMacCatalystTargeting)' == 'true' ">$(TargetFrameworks);net8.0-maccatalyst17.5</TargetFrameworks>
     <UseMaui Condition=" '$(TargetFrameworks)' != '' ">true</UseMaui>
     <TargetFrameworks Condition=" '$(TargetFrameworks)' == '' ">net8.0</TargetFrameworks>
     <SingleProject>true</SingleProject>

src/OpenIddict.Abstractions/OpenIddictResources.resx

@@ -1480,7 +1480,7 @@ To apply post-logout redirection responses, create a class implementing 'IOpenId
     <value>The web authentication broker is only supported on UWP and requires running Windows 10 version 1709 (Fall Creators) or higher.</value>
   </data>
   <data name="ID0393" xml:space="preserve">
-    <value>The web authentication result cannot be resolved or contains invalid data.</value>
+    <value>The platform callback cannot be resolved or contains invalid data.</value>
   </data>
   <data name="ID0394" xml:space="preserve">
     <value>The issuer attached to the static configuration must be the same as the one configured in the validation options.</value>
@@ -1684,14 +1684,17 @@ To apply post-logout redirection responses, create a class implementing 'IOpenId
     <value>The generic version of the OpenIddict.Client.SystemIntegration package cannot be used on this platform. Make sure your application is referencing the correct version by using the appropriate OS-specific TFM (e.g on macOS, 'net8.0-macos10.15').</value>
   </data>
   <data name="ID0450" xml:space="preserve">
-    <value>An HTTP/HTTPS redirect_uri or post_logout_redirect_uri cannot be used when using AS web authentication sessions. Make sure you're using a custom protocol scheme for all the callback URIs attached to the client registration.</value>
+    <value>An HTTP redirect_uri or post_logout_redirect_uri cannot be used when using AS web authentication sessions. Make sure you're using a custom protocol scheme for all the callback URIs attached to the client registration. Alternatively, you can register an associated domain and use an HTTPS redirect_uri or post_logout_redirect_uri pointing to that domain (supported only on iOS 17.4+, Mac Catalyst 17.4+ and macOS 14.4+).</value>
   </data>
   <data name="ID0451" xml:space="preserve">
     <value>The Zoho integration requires sending the region of the server when using the client credentials or refresh token grants. For that, attach a ".location" authentication property containing the region to use.</value>
   </data>
   <data name="ID0452" xml:space="preserve">
     <value>Custom tabs intents are only supported on Android.</value>
   </data>
+  <data name="ID0453" xml:space="preserve">
+    <value>The specified intent doesn't contain a valid data URI.</value>
+  </data>
   <data name="ID2000" xml:space="preserve">
     <value>The security token is missing.</value>
   </data>
@@ -2874,6 +2877,12 @@ This may indicate that the hashed entry is corrupted or malformed.</value>
   <data name="ID6230" xml:space="preserve">
     <value>The revocation request was rejected by the remote authorization server: {Response}.</value>
   </data>
+  <data name="ID6231" xml:space="preserve">
+    <value>An error was returned by ASWebAuthenticationSession while trying to start a challenge operation.</value>
+  </data>
+  <data name="ID6232" xml:space="preserve">
+    <value>An error was returned by ASWebAuthenticationSession while trying to start a sign-out operation.</value>
+  </data>
   <data name="ID8000" xml:space="preserve">
     <value>https://documentation.openiddict.com/errors/{0}</value>
   </data>

src/OpenIddict.Client.AspNetCore/OpenIddictClientAspNetCoreHandlers.cs

@@ -564,6 +564,11 @@ public ValueTask HandleAsync(ProcessChallengeContext context)
                 throw new ArgumentNullException(nameof(context));
             }
 
+            // This handler only applies to ASP.NET Core requests. If the HTTP context cannot be resolved,
+            // this may indicate that the request was incorrectly processed by another server stack.
+            var request = context.Transaction.GetHttpRequest() ??
+                throw new InvalidOperationException(SR.GetResourceString(SR.ID0114));
+
             var properties = context.Transaction.GetProperty<AuthenticationProperties>(typeof(AuthenticationProperties).FullName!);
             if (properties is { Items.Count: > 0 })
             {
@@ -575,7 +580,19 @@ public ValueTask HandleAsync(ProcessChallengeContext context)
                 context.RegistrationId      = GetProperty(properties, Properties.RegistrationId);
                 context.ResponseMode        = GetProperty(properties, Properties.ResponseMode);
                 context.ResponseType        = GetProperty(properties, Properties.ResponseType);
-                context.TargetLinkUri       = properties.RedirectUri;
+
+                context.TargetLinkUri = properties.RedirectUri switch
+                {
+                    // If a return URL - local or not - was explicitly set in the authentication properties, always honor it.
+                    { Length: > 0 } uri => uri,
+
+                    // If no return URL was explicitly set in the authentication properties (e.g because
+                    // the challenge was triggered automatically by ASP.NET Core or because no return URL
+                    // was specified by the user), use the current location as the default target link URI.
+                    _ => (request.HttpContext.Features.Get<IAuthenticationFeature>()?.OriginalPathBase ?? request.PathBase) +
+                         (request.HttpContext.Features.Get<IAuthenticationFeature>()?.OriginalPath     ?? request.Path)     +
+                          request.QueryString
+                };
 
                 if (properties.Items.TryGetValue(Properties.Issuer, out string? issuer) && !string.IsNullOrEmpty(issuer))
                 {
@@ -880,14 +897,31 @@ public ValueTask HandleAsync(ProcessSignOutContext context)
                 throw new ArgumentNullException(nameof(context));
             }
 
+            // This handler only applies to ASP.NET Core requests. If the HTTP context cannot be resolved,
+            // this may indicate that the request was incorrectly processed by another server stack.
+            var request = context.Transaction.GetHttpRequest() ??
+                throw new InvalidOperationException(SR.GetResourceString(SR.ID0114));
+
             var properties = context.Transaction.GetProperty<AuthenticationProperties>(typeof(AuthenticationProperties).FullName!);
             if (properties is { Items.Count: > 0 })
             {
                 context.IdentityTokenHint = GetProperty(properties, Properties.IdentityTokenHint);
                 context.LoginHint         = GetProperty(properties, Properties.LoginHint);
                 context.ProviderName      = GetProperty(properties, Properties.ProviderName);
                 context.RegistrationId    = GetProperty(properties, Properties.RegistrationId);
-                context.TargetLinkUri     = properties.RedirectUri;
+
+                context.TargetLinkUri = properties.RedirectUri switch
+                {
+                    // If a return URL - local or not - was explicitly set in the authentication properties, always honor it.
+                    { Length: > 0 } uri => uri,
+
+                    // If no return URL was explicitly set in the authentication properties (e.g because
+                    // the challenge was triggered automatically by ASP.NET Core or because no return URL
+                    // was specified by the user), use the current location as the default target link URI.
+                    _ => (request.HttpContext.Features.Get<IAuthenticationFeature>()?.OriginalPathBase ?? request.PathBase) +
+                         (request.HttpContext.Features.Get<IAuthenticationFeature>()?.OriginalPath     ?? request.Path)     +
+                          request.QueryString
+                };
 
                 if (properties.Items.TryGetValue(Properties.Issuer, out string? issuer) && !string.IsNullOrEmpty(issuer))
                 {

src/OpenIddict.Client.Owin/OpenIddictClientOwinHandlers.cs

@@ -573,6 +573,11 @@ public ValueTask HandleAsync(ProcessChallengeContext context)
                 throw new ArgumentNullException(nameof(context));
             }
 
+            // This handler only applies to OWIN requests. If the HTTP context cannot be resolved,
+            // this may indicate that the request was incorrectly processed by another server stack.
+            var request = context.Transaction.GetOwinRequest() ??
+                throw new InvalidOperationException(SR.GetResourceString(SR.ID0120));
+
             var properties = context.Transaction.GetProperty<AuthenticationProperties>(typeof(AuthenticationProperties).FullName!);
             if (properties is not { Dictionary.Count: > 0 })
             {
@@ -587,7 +592,16 @@ public ValueTask HandleAsync(ProcessChallengeContext context)
             context.RegistrationId      = GetProperty(properties, Properties.RegistrationId);
             context.ResponseMode        = GetProperty(properties, Properties.ResponseMode);
             context.ResponseType        = GetProperty(properties, Properties.ResponseType);
-            context.TargetLinkUri       = properties.RedirectUri;
+
+            context.TargetLinkUri = properties.RedirectUri switch
+            {
+                // If a return URL - local or not - was explicitly set in the authentication properties, always honor it.
+                { Length: > 0 } uri => uri,
+
+                // If no return URL was explicitly set in the authentication properties (e.g because no return
+                // URL was specified by the user), use the current address as the default target link URI.
+                _ => request.PathBase + request.Path + request.QueryString
+            };
 
             if (properties.Dictionary.TryGetValue(Properties.Issuer, out string? issuer) && !string.IsNullOrEmpty(issuer))
             {
@@ -915,6 +929,11 @@ public ValueTask HandleAsync(ProcessSignOutContext context)
                 throw new ArgumentNullException(nameof(context));
             }
 
+            // This handler only applies to OWIN requests. If the HTTP context cannot be resolved,
+            // this may indicate that the request was incorrectly processed by another server stack.
+            var request = context.Transaction.GetOwinRequest() ??
+                throw new InvalidOperationException(SR.GetResourceString(SR.ID0120));
+
             var properties = context.Transaction.GetProperty<AuthenticationProperties>(typeof(AuthenticationProperties).FullName!);
             if (properties is not { Dictionary.Count: > 0 })
             {
@@ -925,7 +944,16 @@ public ValueTask HandleAsync(ProcessSignOutContext context)
             context.LoginHint         = GetProperty(properties, Properties.LoginHint);
             context.ProviderName      = GetProperty(properties, Properties.ProviderName);
             context.RegistrationId    = GetProperty(properties, Properties.RegistrationId);
-            context.TargetLinkUri     = properties.RedirectUri;
+
+            context.TargetLinkUri = properties.RedirectUri switch
+            {
+                // If a return URL - local or not - was explicitly set in the authentication properties, always honor it.
+                { Length: > 0 } uri => uri,
+
+                // If no return URL was explicitly set in the authentication properties (e.g because no return
+                // URL was specified by the user), use the current address as the default target link URI.
+                _ => request.PathBase + request.Path + request.QueryString
+            };
 
             if (properties.Dictionary.TryGetValue(Properties.Issuer, out string? issuer) && !string.IsNullOrEmpty(issuer))
             {

src/OpenIddict.Client.SystemIntegration/OpenIddictClientSystemIntegrationExtensions.cs

@@ -103,17 +103,18 @@ public static OpenIddictClientSystemIntegrationBuilder UseSystemIntegration(this
 
         // Register the built-in filters used by the default OpenIddict client system integration event handlers.
         builder.Services.TryAddSingleton<RequireASWebAuthenticationSession>();
-        builder.Services.TryAddSingleton<RequireASWebAuthenticationCallbackUrl>();
         builder.Services.TryAddSingleton<RequireAuthenticationNonce>();
         builder.Services.TryAddSingleton<RequireCustomTabsIntent>();
-        builder.Services.TryAddSingleton<RequireCustomTabsIntentData>();
         builder.Services.TryAddSingleton<RequireEmbeddedWebServerEnabled>();
         builder.Services.TryAddSingleton<RequireHttpListenerContext>();
         builder.Services.TryAddSingleton<RequireInteractiveSession>();
+        builder.Services.TryAddSingleton<RequirePlatformCallback>();
         builder.Services.TryAddSingleton<RequireProtocolActivation>();
         builder.Services.TryAddSingleton<RequireSystemBrowser>();
         builder.Services.TryAddSingleton<RequireWebAuthenticationBroker>();
+#pragma warning disable CS0618
         builder.Services.TryAddSingleton<RequireWebAuthenticationResult>();
+#pragma warning restore CS0618
 
         // Register the built-in event handlers used by the OpenIddict client system integration components.
         // Note: the order used here is not important, as the actual order is set in the options.