diff --git a/src/OpenIddict.Abstractions/OpenIddictResources.resx b/src/OpenIddict.Abstractions/OpenIddictResources.resx
index 6a194379..36a25a3f 100644
--- a/src/OpenIddict.Abstractions/OpenIddictResources.resx
+++ b/src/OpenIddict.Abstractions/OpenIddictResources.resx
@@ -1683,6 +1683,9 @@ To apply post-logout redirection responses, create a class implementing 'IOpenId
The generic version of the OpenIddict.Client.SystemIntegration package cannot be used on this platform. Make sure your application is referencing the correct version by using the appropriate OS-specific TFM (e.g on macOS, 'net8.0-macos10.15').
+
+ An HTTP/HTTPS redirect_uri or post_logout_redirect_uri cannot be used when using AS web authentication sessions. Make sure you're using a custom protocol scheme for all the callback URIs attached to the client registration.
+
The security token is missing.
diff --git a/src/OpenIddict.Client.SystemIntegration/OpenIddictClientSystemIntegrationHandlers.Authentication.cs b/src/OpenIddict.Client.SystemIntegration/OpenIddictClientSystemIntegrationHandlers.Authentication.cs
index 19cc5ba6..5e7e795a 100644
--- a/src/OpenIddict.Client.SystemIntegration/OpenIddictClientSystemIntegrationHandlers.Authentication.cs
+++ b/src/OpenIddict.Client.SystemIntegration/OpenIddictClientSystemIntegrationHandlers.Authentication.cs
@@ -113,6 +113,13 @@ public static partial class OpenIddictClientSystemIntegrationHandlers
throw new PlatformNotSupportedException(SR.GetResourceString(SR.ID0446));
}
+ if (!Uri.TryCreate(context.RedirectUri, UriKind.Absolute, out Uri? uri) ||
+ (string.Equals(uri.Scheme, Uri.UriSchemeHttp, StringComparison.OrdinalIgnoreCase) ||
+ string.Equals(uri.Scheme, Uri.UriSchemeHttps, StringComparison.OrdinalIgnoreCase)))
+ {
+ throw new InvalidOperationException(SR.GetResourceString(SR.ID0450));
+ }
+
var source = new TaskCompletionSource(TaskCreationOptions.RunContinuationsAsynchronously);
// OpenIddict represents the complete interactive authentication dance as a two-phase process:
@@ -134,7 +141,7 @@ public static partial class OpenIddictClientSystemIntegrationHandlers
parameters: context.Transaction.Request.GetParameters().ToDictionary(
parameter => parameter.Key,
parameter => new StringValues((string?[]?) parameter.Value))).AbsoluteUri),
- callbackUrlScheme: new Uri(context.RedirectUri, UriKind.Absolute).Scheme,
+ callbackUrlScheme: uri.Scheme,
completionHandler: (url, error) =>
{
if (url is not null)
diff --git a/src/OpenIddict.Client.SystemIntegration/OpenIddictClientSystemIntegrationHandlers.Session.cs b/src/OpenIddict.Client.SystemIntegration/OpenIddictClientSystemIntegrationHandlers.Session.cs
index 9f2a9546..48f3aabf 100644
--- a/src/OpenIddict.Client.SystemIntegration/OpenIddictClientSystemIntegrationHandlers.Session.cs
+++ b/src/OpenIddict.Client.SystemIntegration/OpenIddictClientSystemIntegrationHandlers.Session.cs
@@ -113,6 +113,13 @@ public static partial class OpenIddictClientSystemIntegrationHandlers
throw new PlatformNotSupportedException(SR.GetResourceString(SR.ID0446));
}
+ if (!Uri.TryCreate(context.PostLogoutRedirectUri, UriKind.Absolute, out Uri? uri) ||
+ (string.Equals(uri.Scheme, Uri.UriSchemeHttp, StringComparison.OrdinalIgnoreCase) ||
+ string.Equals(uri.Scheme, Uri.UriSchemeHttps, StringComparison.OrdinalIgnoreCase)))
+ {
+ throw new InvalidOperationException(SR.GetResourceString(SR.ID0450));
+ }
+
var source = new TaskCompletionSource(TaskCreationOptions.RunContinuationsAsynchronously);
// OpenIddict represents the complete interactive logout dance as a two-phase process:
@@ -134,7 +141,7 @@ public static partial class OpenIddictClientSystemIntegrationHandlers
parameters: context.Transaction.Request.GetParameters().ToDictionary(
parameter => parameter.Key,
parameter => new StringValues((string?[]?) parameter.Value))).AbsoluteUri),
- callbackUrlScheme: new Uri(context.PostLogoutRedirectUri, UriKind.Absolute).Scheme,
+ callbackUrlScheme: uri.Scheme,
completionHandler: (url, error) =>
{
if (url is not null)