Skip to content
This repository was archived by the owner on Dec 13, 2018. It is now read-only.

Ensuring the generated redirect URL is valid #903

Closed
troydai opened this issue Jul 16, 2016 · 3 comments
Closed

Ensuring the generated redirect URL is valid #903

troydai opened this issue Jul 16, 2016 · 3 comments
Assignees
@Tratcher
Labels
3 - Done bug OIDC
Milestone
1.1.0

Comments

@troydai
Copy link
Contributor

troydai commented Jul 16, 2016

In issue #844, @PinpointTownes wrote:

The null ref was in OIDC.

On a related note, we should add more checks to ensure an authorization request or a logout request cannot be generated when the authorization/logout endpoint path resolved from the OIDC configuration or set from the RedirectToIdentityProvider event is null.

Currently, if the authorization endpoint is undefined, the challenge is applied to the current address (e.g ?response_type=id_token...), which can result in an endless loop. 3 OpenIddict users reported a similar behavior in their own apps.

You can easily reproduce it by cloning the OpenIddict MVC samples and updating the server sample to disable the authorization endpoint:

services.AddOpenIddict<ApplicationUser, IdentityRole<Guid>, ApplicationDbContext, Guid>()
    // .EnableAuthorizationEndpoint("/connect/authorize")
    // .EnableLogoutEndpoint("/connect/logout")
    .EnableTokenEndpoint("/connect/token")
    // .EnableUserinfoEndpoint("/connect/userinfo")

    // .AllowAuthorizationCodeFlow()
    // .AllowRefreshTokenFlow()
    .AllowPasswordFlow()

    .DisableHttpsRequirement();
@troydai troydai mentioned this issue Jul 16, 2016
Closed
@Eilon Eilon added the OIDC label Jul 28, 2016
@Eilon Eilon added this to the 1.1.0 milestone Aug 18, 2016
@Eilon Eilon modified the milestones: 1.1.0-preview1, 1.1.0 Oct 6, 2016
@Eilon Eilon assigned Tratcher and unassigned troydai Oct 27, 2016
@Tratcher
Copy link
Member

Tratcher commented Nov 1, 2016

Note there is an existing check for this in HandleUnauthorizedAsync:

if (!Uri.IsWellFormedUriString(redirectUri, UriKind.Absolute))
{
    Logger.InvalidAuthenticationRequestUrl(redirectUri);
}

Note it only logs. This was because Katana did not apply challenges immediately, it waited until OnSendingHeaders or pipeline-unwind so any exception thrown would not be visible to user code. Core applies challenges immediately when called from user code. While pipeline unwind automatic challenges are still supported, they are not the normal flow. Also, throwing an exception has the advantage of changing this infinite redirect to a 500.

@kevinchalet
Copy link
Contributor

👍 for throwing an exception (an InvalidOperationException, maybe?)

Tratcher added a commit that referenced this issue Nov 1, 2016
@Tratcher
#903 Ensure redirect uris can be generated
b5b37d5
@Tratcher Tratcher mentioned this issue Nov 1, 2016
Merged
Tratcher added a commit that referenced this issue Nov 2, 2016
@Tratcher
#903 Ensure redirect uris can be generated
02746e2
Tratcher added a commit that referenced this issue Nov 4, 2016
@Tratcher
#903 Ensure redirect uris can be generated
0c815da
@Tratcher Tratcher closed this as completed Nov 4, 2016
@liquidboy
Copy link

liquidboy commented Jan 12, 2017
edited
Loading

thought id add this in here for histories sake ...
On my project we just upgraded to netcore 1.1.0 and suddenly our SignOut's were failing ... Traced it to the changes implemented in this issue around checking if IssuerAddress was null or empty ...

https://twitter.com/josefajardo/status/819329380421804032

I still haven't worked out how to fix it BUT atleast I know what caused it ..

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@Tratcher Tratcher

Labels
3 - Done bug OIDC
Projects
None yet
Milestone
1.1.0
Development

No branches or pull requests
5 participants
@Eilon @liquidboy @troydai @Tratcher @kevinchalet