Identityserver4: invalid redirect URLs
- [X] I read and understood how to enable logging
Issue / Steps to reproduce the problem
- Identity Server 4 (NuGet v1.5.2)
- Log-in via implicit flow:
GET /connect/authorize?response_type=id_token%20token&client_id=frontend&redirect_uri=https://localhost:6001/&scope=openid%20email%20roles&nonce= ... 2&state=... HTTP/1.1
- When the login is successful, I get an redirect to an url that looks like
https://localhost:6001/id_token= ... &access_token= ...
instead of
https://localhost:6001/?id_token= ... &access_token= ...
Relevant parts of the log file
no logged error
MovGP0
All 11 comments
the issue seems to be in IdentityServer4.Endpoints.Results.AuthorizeResult.BuildRedirectUri()
if (Response.Request.ResponseMode == OidcConstants.ResponseModes.Query)
{
uri = uri.AddQueryString(query);
}
else
{
uri = uri.AddHashFragment(query);
}
The AddHashFragment does not add the missing ? after the hash.
MovGP0
on 31 Jul 2017
Are you saying that
redirect_uri=https://localhost:6001/&scope=openid%20email%20roles&nonce= ... 2&state=...
is your pre-configured redirect URI? and if yes - why?
leastprivilege
on 31 Jul 2017
the preconfigured redirect url is https://localhost:6001/ (my debugger apparently has undecoded the special characters). it is the main route because it is a single page application (SPA). However, I have the same issue with angular hash routing, like in https://localhost:6001/#/ or in https://localhost:6001/#/home, which is the same angular component in my case.
MovGP0
on 31 Jul 2017
btw. I solved the above issue by changing the above code to:
if (Response.Request.ResponseMode == OidcConstants.ResponseModes.Query)
{
uri = uri.AddQueryString(query);
}
else
{
uri = uri.AddHashFragment(query);
uri = uri.AddQueryString(query);
}
This might not be a proper solution however, because there might be cases where it is wrong and I currently lack the insight about its possible implications.
MovGP0
on 31 Jul 2017
This is pretty security sensitive code you are changing here.
The page where the redirect URI points to should not be part of your Angular route. Just use a plain html page and from there redirect back to the main app.
leastprivilege
on 31 Jul 2017
ok. so something like https://localhost:6001/return.html and transmitting https://localhost:6001/return.html?return=https://localhost:6001/#/my/route/back as the returnUrl then?
GET /connect/authorize
?response_type=id_token%20token
&client_id=frontend
&redirect_uri=https%3A%2F%2Flocalhost%3A6001%2Freturn.html%3Freturn%3Dhttps%3A%2F%2Flocalhost%3A6001%2F%23%2Fmy%2Froute%2Fback
&scope=openid%20email%20roles
&nonce= ... 2
&state=...
Unfortunately, I don't see the security advantage here. Do I need to use the state parameter for that?
My idea was to store the application state in the local storage of the browser and redirect the user once he came back to the default route. This way the URL does not need to include the angular route at all.
MovGP0
on 31 Jul 2017
yep store the "deep link" before doing the redirect to IS - then use a static redirect URI (e.g. "callback.html"). Process the response and then do the final redirect back to the routing system.
leastprivilege
on 1 Aug 2017
still doesn't solve the issue with the missing question mark before the URL query. so the question is how to set the Request.ResponseMode to query in @angular/http?
MovGP0
on 1 Aug 2017
ah you can't. It's not allowed for JS clients. It mush be a hash fragment. Check the spec.
leastprivilege
on 1 Aug 2017
Oh. I see. Section 4.2 requires the use of the hash fragment. So I need to use location.hash to get the parameters and not use Angular Hash Routing.
MovGP0
on 1 Aug 2017
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
![lock[bot] picture](https://avatars1.githubusercontent.com/in/6672?v=4&s=40)
lock[bot]
on 14 Jan 2020
Related issues
osudude
路
3Comments
chrisrestall
路
3Comments
wangkanai
路
3Comments
klioqc
路
3Comments
leastprivilege
路
3Comments