Infer the redirection/post-logout redirection endpoint URIs from the redirect_uri/post_logout_redirect_uri configured in client registrations

3 years ago · 6ed9eb25e1
7 changed files with 78 additions and 59 deletions
--- a/gen/OpenIddict.Client.WebIntegration.Generators/OpenIddictClientWebIntegrationGenerator.cs
+++ b/gen/OpenIddict.Client.WebIntegration.Generators/OpenIddictClientWebIntegrationGenerator.cs
@ -180,6 +180,10 @@ public sealed partial class OpenIddictClientWebIntegrationBuilder
        /// <summary>
        /// Sets the post-logout redirection URI, if applicable.
        /// </summary>
+        /// <remarks>
+        /// Note: the post-logout redirection URI is automatically added to
+        /// <see cref=""OpenIddictClientOptions.PostLogoutRedirectionEndpointUris""/>.
+        /// </remarks>
        /// <param name=""uri"">The post-logout redirection URI.</param>
        /// <returns>The <see cref=""OpenIddictClientWebIntegrationBuilder.{{ provider.name }}""/> instance.</returns>
        public {{ provider.name }} SetPostLogoutRedirectUri(Uri uri)
@ -195,6 +199,10 @@ public sealed partial class OpenIddictClientWebIntegrationBuilder
        /// <summary>
        /// Sets the post-logout redirection URI, if applicable.
        /// </summary>
+        /// <remarks>
+        /// Note: the post-logout redirection URI is automatically added to
+        /// <see cref=""OpenIddictClientOptions.PostLogoutRedirectionEndpointUris""/>.
+        /// </remarks>
        /// <param name=""uri"">The post-logout redirection URI.</param>
        /// <returns>The <see cref=""OpenIddictClientWebIntegrationBuilder.{{ provider.name }}""/> instance.</returns>
        public {{ provider.name }} SetPostLogoutRedirectUri([StringSyntax(StringSyntaxAttribute.Uri)] string uri)
@ -210,6 +218,10 @@ public sealed partial class OpenIddictClientWebIntegrationBuilder
        /// <summary>
        /// Sets the redirection URI, if applicable.
        /// </summary>
+        /// <remarks>
+        /// Note: the redirection URI is automatically added to
+        /// <see cref=""OpenIddictClientOptions.RedirectionEndpointUris""/>.
+        /// </remarks>
        /// <param name=""uri"">The redirection URI.</param>
        /// <returns>The <see cref=""OpenIddictClientWebIntegrationBuilder.{{ provider.name }}""/> instance.</returns>
        public {{ provider.name }} SetRedirectUri(Uri uri)
@ -225,6 +237,10 @@ public sealed partial class OpenIddictClientWebIntegrationBuilder
        /// <summary>
        /// Sets the redirection URI, if applicable.
        /// </summary>
+        /// <remarks>
+        /// Note: the redirection URI is automatically added to
+        /// <see cref=""OpenIddictClientOptions.RedirectionEndpointUris""/>.
+        /// </remarks>
        /// <param name=""uri"">The redirection URI.</param>
        /// <returns>The <see cref=""OpenIddictClientWebIntegrationBuilder.{{ provider.name }}""/> instance.</returns>
        public {{ provider.name }} SetRedirectUri([StringSyntax(StringSyntaxAttribute.Uri)] string uri)
@ -1092,11 +1108,19 @@ public sealed partial class OpenIddictClientWebIntegrationOptions
        /// <summary>
        /// Gets or sets the post-logout redirect URI.
        /// </summary>
+        /// <remarks>
+        /// Note: this value is automatically added to
+        /// <see cref=""OpenIddictClientOptions.PostLogoutRedirectionEndpointUris""/>.
+        /// </remarks>
        public Uri? PostLogoutRedirectUri { get; set; }

        /// <summary>
        /// Gets or sets the redirect URI.
        /// </summary>
+        /// <remarks>
+        /// Note: this value is automatically added to
+        /// <see cref=""OpenIddictClientOptions.RedirectionEndpointUris""/>.
+        /// </remarks>
        public Uri? RedirectUri { get; set; }

        /// <summary>
--- a/sandbox/OpenIddict.Sandbox.AspNet.Client/Startup.cs
+++ b/sandbox/OpenIddict.Sandbox.AspNet.Client/Startup.cs
@ -40,21 +40,6 @@ namespace OpenIddict.Sandbox.AspNet.Client
                // Register the OpenIddict client components.
                .AddClient(options =>
                {
-                    // Enable the redirection endpoint needed to handle the callback stage.
-                    //
-                    // Note: to mitigate mix-up attacks, it's recommended to use a unique redirection endpoint
-                    // URI per provider, unless all the registered providers support returning a special "iss"
-                    // parameter containing their URL as part of authorization responses. For more information,
-                    // see https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#section-4.4.
-                    options.SetRedirectionEndpointUris(
-                        "callback/login/local",
-                        "callback/login/github",
-                        "callback/login/google",
-                        "callback/login/twitter");
-
-                    // Enable the post-logout redirection endpoint needed to handle the callback stage.
-                    options.SetPostLogoutRedirectionEndpointUris("callback/logout/local");
-
                    // Note: this sample uses the authorization code and refresh token
                    // flows, but you can enable the other flows if necessary.
                    options.AllowAuthorizationCodeFlow()
@ -92,6 +77,11 @@ namespace OpenIddict.Sandbox.AspNet.Client
                    });

                    // Register the Web providers integrations.
+                    //
+                    // Note: to mitigate mix-up attacks, it's recommended to use a unique redirection endpoint
+                    // URI per provider, unless all the registered providers support returning a special "iss"
+                    // parameter containing their URL as part of authorization responses. For more information,
+                    // see https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#section-4.4.
                    options.UseWebProviders()
                           .UseGitHub(options =>
                           {
--- a/sandbox/OpenIddict.Sandbox.AspNet.Server/Startup.cs
+++ b/sandbox/OpenIddict.Sandbox.AspNet.Server/Startup.cs
@ -45,14 +45,6 @@ namespace OpenIddict.Sandbox.AspNet.Server
                // Register the OpenIddict client components.
                .AddClient(options =>
                {
-                    // Enable the redirection endpoint needed to handle the callback stage.
-                    //
-                    // Note: to mitigate mix-up attacks, it's recommended to use a unique redirection endpoint
-                    // URI per provider, unless all the registered providers support returning a special "iss"
-                    // parameter containing their URL as part of authorization responses. For more information,
-                    // see https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#section-4.4.
-                    options.SetRedirectionEndpointUris("callback/login/github");
-
                    // Note: this sample uses the code flow, but you can enable the other flows if necessary.
                    options.AllowAuthorizationCodeFlow();

@ -73,13 +65,16 @@ namespace OpenIddict.Sandbox.AspNet.Server
                           .SetProductInformation(typeof(Startup).Assembly);

                    // Register the Web providers integrations.
+                    //
+                    // Note: to mitigate mix-up attacks, it's recommended to use a unique redirection endpoint
+                    // URI per provider, unless all the registered providers support returning a special "iss"
+                    // parameter containing their URL as part of authorization responses. For more information,
+                    // see https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#section-4.4.
                    options.UseWebProviders()
-                           .UseGitHub(options =>
-                           {
-                               options.SetClientId("c4ade52327b01ddacff3")
-                                      .SetClientSecret("da6bed851b75e317bf6b2cb67013679d9467c122")
-                                      .SetRedirectUri("callback/login/github");
-                           });
+                           .UseGitHub()
+                           .SetClientId("c4ade52327b01ddacff3")
+                           .SetClientSecret("da6bed851b75e317bf6b2cb67013679d9467c122")
+                           .SetRedirectUri("callback/login/github");
                })

                // Register the OpenIddict server components.
--- a/sandbox/OpenIddict.Sandbox.AspNetCore.Client/Startup.cs
+++ b/sandbox/OpenIddict.Sandbox.AspNetCore.Client/Startup.cs
@ -74,22 +74,6 @@ public class Startup
            // Register the OpenIddict client components.
            .AddClient(options =>
            {
-                // Enable the redirection endpoint needed to handle the callback stage.
-                //
-                // Note: to mitigate mix-up attacks, it's recommended to use a unique redirection endpoint
-                // URI per provider, unless all the registered providers support returning a special "iss"
-                // parameter containing their URL as part of authorization responses. For more information,
-                // see https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#section-4.4.
-                options.SetRedirectionEndpointUris(
-                    "callback/login/local",
-                    "callback/login/github",
-                    "callback/login/google",
-                    "callback/login/reddit",
-                    "callback/login/twitter");
-
-                // Enable the post-logout redirection endpoint needed to handle the callback stage.
-                options.SetPostLogoutRedirectionEndpointUris("callback/logout/local");
-
                // Note: this sample uses the authorization code and refresh token
                // flows, but you can enable the other flows if necessary.
                options.AllowAuthorizationCodeFlow()
@ -127,6 +111,11 @@ public class Startup
                });

                // Register the Web providers integrations.
+                //
+                // Note: to mitigate mix-up attacks, it's recommended to use a unique redirection endpoint
+                // URI per provider, unless all the registered providers support returning a special "iss"
+                // parameter containing their URL as part of authorization responses. For more information,
+                // see https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#section-4.4.
                options.UseWebProviders()
                       .UseGitHub(options =>
                       {
--- a/sandbox/OpenIddict.Sandbox.AspNetCore.Server/Startup.cs
+++ b/sandbox/OpenIddict.Sandbox.AspNetCore.Server/Startup.cs
@ -68,14 +68,6 @@ public class Startup
            // Register the OpenIddict client components.
            .AddClient(options =>
            {
-                // Enable the redirection endpoint needed to handle the callback stage.
-                //
-                // Note: to mitigate mix-up attacks, it's recommended to use a unique redirection endpoint
-                // URI per provider, unless all the registered providers support returning a special "iss"
-                // parameter containing their URL as part of authorization responses. For more information,
-                // see https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#section-4.4.
-                options.SetRedirectionEndpointUris("callback/login/github");
-
                // Note: this sample uses the code flow, but you can enable the other flows if necessary.
                options.AllowAuthorizationCodeFlow();

@ -96,13 +88,16 @@ public class Startup
                       .SetProductInformation(typeof(Startup).Assembly);

                // Register the Web providers integrations.
+                //
+                // Note: to mitigate mix-up attacks, it's recommended to use a unique redirection endpoint
+                // URI per provider, unless all the registered providers support returning a special "iss"
+                // parameter containing their URL as part of authorization responses. For more information,
+                // see https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#section-4.4.
                options.UseWebProviders()
-                       .UseGitHub(options =>
-                       {
-                           options.SetClientId("c4ade52327b01ddacff3")
-                                  .SetClientSecret("da6bed851b75e317bf6b2cb67013679d9467c122")
-                                  .SetRedirectUri("callback/login/github");
-                       });
+                       .UseGitHub()
+                       .SetClientId("c4ade52327b01ddacff3")
+                       .SetClientSecret("da6bed851b75e317bf6b2cb67013679d9467c122")
+                       .SetRedirectUri("callback/login/github");
            })

            // Register the OpenIddict server components.
--- a/src/OpenIddict.Client/OpenIddictClientConfiguration.cs
+++ b/src/OpenIddict.Client/OpenIddictClientConfiguration.cs
@ -83,6 +83,24 @@ public sealed class OpenIddictClientConfiguration : IPostConfigureOptions<OpenId
            }
        }

+        // Implicitly add the redirect_uri attached to the client registrations
+        // to the list of redirection endpoints URIs if they haven't been added.
+        options.RedirectionEndpointUris.AddRange(options.Registrations
+            .Where(registration => registration.RedirectUri is not null)
+            .Select(registration => registration.RedirectUri!)
+            .Where(uri => !options.RedirectionEndpointUris.Contains(uri))
+            .Distinct()
+            .ToList());
+
+        // Implicitly add the post_logout_redirect_uri attached to the client registrations
+        // to the list of post-logout redirection endpoints URIs if they haven't been added.
+        options.PostLogoutRedirectionEndpointUris.AddRange(options.Registrations
+            .Where(registration => registration.PostLogoutRedirectUri is not null)
+            .Select(registration => registration.PostLogoutRedirectUri!)
+            .Where(uri => !options.PostLogoutRedirectionEndpointUris.Contains(uri))
+            .Distinct()
+            .ToList());
+
        // Ensure at least one flow has been enabled.
        if (options.GrantTypes.Count is 0 && options.ResponseTypes.Count is 0)
        {
--- a/src/OpenIddict.Client/OpenIddictClientRegistration.cs
+++ b/src/OpenIddict.Client/OpenIddictClientRegistration.cs
@ -29,11 +29,19 @@ public sealed class OpenIddictClientRegistration
    /// <summary>
    /// Gets or sets the URI of the redirection endpoint that will handle the callback.
    /// </summary>
+    /// <remarks>
+    /// Note: this value is automatically added to
+    /// <see cref="OpenIddictClientOptions.RedirectionEndpointUris"/>.
+    /// </remarks>
    public Uri? RedirectUri { get; set; }

    /// <summary>
    /// Gets or sets the URI of the post-logout redirection endpoint that will handle the callback.
    /// </summary>
+    /// <remarks>
+    /// Note: this value is automatically added to
+    /// <see cref="OpenIddictClientOptions.PostLogoutRedirectionEndpointUris"/>.
+    /// </remarks>
    public Uri? PostLogoutRedirectUri { get; set; }

    /// <summary>