The redirect URI is not well-formed. The URI is: 'http://грант.рф:5000/connect/authorize ... #1646
Comments
|
Interesting catch. @brentschmaltz this may be a bug in CreateAuthenticationRequestUrl. |
|
@levnikolaevich if you look at the metadata document OIDC downloads for configuration, the host value is not encoded in there is it? |
|
@Tratcher Client configuration looks like this |
|
Yes. One way of addressing this is changing the metadata. Can you do that? Also, why did you add ConvertToAscii for your Authority? We should be able to handle that one in Unicode. |
|
@Tratcher , I'm using idsrv4. I think, I don't have a direct access to that code. I've asked their support for help. PS ConvertToAscii was just for a experiment =) |
|
Ok, the other workaround you can try is setting the Options.Configuration property and manually entering the metadata with encoded urls. |
|
Tagging @leastprivilege re: idsrv4. Any ideas on this? This hostname should probably be punycode encoded in the metadata document itself. |
|
I have no idea. |
|
@leastprivilege do you suggest that this bug should be tracked by your org? We couldn't think of anything in ASP.NET Core that would be causing this. |
|
@Eilon , @leastprivilege, hello! request.Host.Value contains the original host name (http://грант-лев.рф), not a punycode I resolved my issue the following way it also helped me with https issue.. =) Seems, you can close this issue |
|
@Tratcher , thank you very much for your help! |
|
https://github.com/IdentityServer/IdentityServer4/blob/ecffbb062485b0656461eba4af5648dc9f45a589/src/IdentityServer4/Hosting/BaseUrlMiddleware.cs#L31 does look like a bug in idsrv4. It should consider the host encoding when generating addresses. |
|
@levnikolaevich there's a |
|
@Tratcher can you elaborate? |
|
While the OIDC spec doesn't call out the host encoding specifically, it repeatedly sites RFC 3986 URLs which do not allow unicode. That makes sense as several of these urls values are intended for use in redirect Location headers and must be encoded there. |
|
So you're saying the incoming value for the host could be unicode? I guess I'm confused why ASP.NET Core would allow that in in the first place if it's not a valid host value. |
The URI spec is not that restrictive:
The real issue is that this address is used as-is by the OIDC handler that blindly calls That said, it's absolutely not a new issue. I'm pretty sure even the Katana OIDC middleware had the same problem (which is why I personally went with the safest option, i.e returning punycode-encoded URIs). Edit: in the URL "living" standard proposed by the WHATWG, percent or puny-encoding is no longer necessary for many Unicode chars:
|
|
@brockallen HostString.Value returns the decoded from. HostString.ToString() or ToUriComponent gives the encoded form. |
Guys, hello!
When I use OpenIdConnect I have a problem in a OpenIdConnectHandler (394 line)
So, I use a cyrillic domain http://грант-лев.рф and redirect URI in OpenIdConnectHandler looks incorrect.
The redirect URI is not well-formed. The URI is: 'http://грант-лев.рф:5000/connect/authorize?client_id=RosgrantService&redirect_uri=http%3A%2F%2Fxn----7sbhbm9amwu.xn--p1ai%3A5002%2Fsignin-oidc&Seems, punycode like here
redirect_uri=http%3A%2F%2Fxn----7sbhbm9amwu.xn--p1aiwould be good, but I dont know where I can handle it.
Moreover, after this warning I catch an exception in kestrel
System.InvalidOperationException: Invalid non-ASCII or control character in header: 0x0433 at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.FrameHeaders.ThrowInvalidHeaderCharacter(Char ch) at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.FrameHeaders.ValidateHeaderCharacters(String headerCharacters) at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.FrameHeaders.ValidateHeaderCharacters(StringValues headerValues)....
So, how can I turn my cyrillic domain to punycode to prevent warning and a Kestrel craching in OpenIdConnectHandler?
Thank you for your advice!
The text was updated successfully, but these errors were encountered: