Update the authorization/logout request caching logic to use RequestUri

3 years ago · 778b5c81d9
4 changed files with 24 additions and 4 deletions
--- a/src/OpenIddict.Server.AspNetCore/OpenIddictServerAspNetCoreHandlers.Authentication.cs
+++ b/src/OpenIddict.Server.AspNetCore/OpenIddictServerAspNetCoreHandlers.Authentication.cs
@ -187,6 +187,11 @@ public static partial class OpenIddictServerAspNetCoreHandlers
                    throw new ArgumentNullException(nameof(context));
                }

+                if (context is not { BaseUri.IsAbsoluteUri: true, RequestUri.IsAbsoluteUri: true })
+                {
+                    throw new InvalidOperationException(SR.GetResourceString(SR.ID0127));
+                }
+
                Debug.Assert(context.Request is not null, SR.GetResourceString(SR.ID4008));

                // This handler only applies to ASP.NET Core requests. If the HTTP context cannot be resolved,
@ -246,7 +251,7 @@ public static partial class OpenIddictServerAspNetCoreHandlers

                // Create a new GET authorization request containing only the request_id parameter.
                var location = QueryHelpers.AddQueryString(
-                    uri: request.Scheme + Uri.SchemeDelimiter + request.Host + request.PathBase + request.Path,
+                    uri: new UriBuilder(context.RequestUri) { Query = null }.Uri.AbsoluteUri,
                    name: Parameters.RequestId,
                    value: context.Request.RequestId);

--- a/src/OpenIddict.Server.AspNetCore/OpenIddictServerAspNetCoreHandlers.Session.cs
+++ b/src/OpenIddict.Server.AspNetCore/OpenIddictServerAspNetCoreHandlers.Session.cs
@ -184,6 +184,11 @@ public static partial class OpenIddictServerAspNetCoreHandlers
                    throw new ArgumentNullException(nameof(context));
                }

+                if (context is not { BaseUri.IsAbsoluteUri: true, RequestUri.IsAbsoluteUri: true })
+                {
+                    throw new InvalidOperationException(SR.GetResourceString(SR.ID0127));
+                }
+
                Debug.Assert(context.Request is not null, SR.GetResourceString(SR.ID4008));

                // This handler only applies to ASP.NET Core requests. If the HTTP context cannot be resolved,
@ -243,7 +248,7 @@ public static partial class OpenIddictServerAspNetCoreHandlers

                // Create a new GET logout request containing only the request_id parameter.
                var location = QueryHelpers.AddQueryString(
-                    uri: request.Scheme + Uri.SchemeDelimiter + request.Host + request.PathBase + request.Path,
+                    uri: new UriBuilder(context.RequestUri) { Query = null }.Uri.AbsoluteUri,
                    name: Parameters.RequestId,
                    value: context.Request.RequestId);

--- a/src/OpenIddict.Server.Owin/OpenIddictServerOwinHandlers.Authentication.cs
+++ b/src/OpenIddict.Server.Owin/OpenIddictServerOwinHandlers.Authentication.cs
@ -186,6 +186,11 @@ public static partial class OpenIddictServerOwinHandlers
                    throw new ArgumentNullException(nameof(context));
                }

+                if (context is not { BaseUri.IsAbsoluteUri: true, RequestUri.IsAbsoluteUri: true })
+                {
+                    throw new InvalidOperationException(SR.GetResourceString(SR.ID0127));
+                }
+
                Debug.Assert(context.Request is not null, SR.GetResourceString(SR.ID4008));

                // This handler only applies to OWIN requests. If The OWIN request cannot be resolved,
@ -242,7 +247,7 @@ public static partial class OpenIddictServerOwinHandlers

                // Create a new GET authorization request containing only the request_id parameter.
                var location = WebUtilities.AddQueryString(
-                    uri: request.Scheme + Uri.SchemeDelimiter + request.Host + request.PathBase + request.Path,
+                    uri: new UriBuilder(context.RequestUri) { Query = null }.Uri.AbsoluteUri,
                    name: Parameters.RequestId,
                    value: context.Request.RequestId);

--- a/src/OpenIddict.Server.Owin/OpenIddictServerOwinHandlers.Session.cs
+++ b/src/OpenIddict.Server.Owin/OpenIddictServerOwinHandlers.Session.cs
@ -184,6 +184,11 @@ public static partial class OpenIddictServerOwinHandlers
                    throw new ArgumentNullException(nameof(context));
                }

+                if (context is not { BaseUri.IsAbsoluteUri: true, RequestUri.IsAbsoluteUri: true })
+                {
+                    throw new InvalidOperationException(SR.GetResourceString(SR.ID0127));
+                }
+
                Debug.Assert(context.Request is not null, SR.GetResourceString(SR.ID4008));

                // This handler only applies to OWIN requests. If The OWIN request cannot be resolved,
@ -240,7 +245,7 @@ public static partial class OpenIddictServerOwinHandlers

                // Create a new GET logout request containing only the request_id parameter.
                var location = WebUtilities.AddQueryString(
-                    uri: request.Scheme + Uri.SchemeDelimiter + request.Host + request.PathBase + request.Path,
+                    uri: new UriBuilder(context.RequestUri) { Query = null }.Uri.AbsoluteUri,
                    name: Parameters.RequestId,
                    value: context.Request.RequestId);