public async Task <URLContextService> SetUrl(String url)
{
this._url = url;
this._urlTrustType = URLTrustType.Unknown; // Assume we don't know / trust the return URL
// check if we are in the AuthorizationRequest of an authorization request
this._authorizationRequest = await _interaction.GetAuthorizationContextAsync(this.Url);
if (this.AuthorizationRequest != null)
{
this._urlTrustType = URLTrustType.Known; // It is at least a known / trusted URL
// we can trust model.ReturnUrl since GetAuthorizationAuthorizationRequestAsync returned non-null
if (await IsPkceClientAsync(this.AuthorizationRequest.ClientId))
{
// if the client is PKCE then we assume it's native
this._urlTrustType = URLTrustType.Native;
}
}
return(this);
}
public IActionResult HandleReturnUrl(URLTrustType urlTrust, String returnUrl, Boolean failIfUnknown = true)
{
if (urlTrust == URLTrustType.Native)
{
return(View("Redirect", new RedirectViewModel {
RedirectUrl = returnUrl
}));
}
else if (urlTrust == URLTrustType.Known)
{
return(Redirect(returnUrl));
}
else // URLTrust.Unknown
{
if (Url.IsLocalUrl(returnUrl))
{
return(Redirect(returnUrl));
}
else if (string.IsNullOrEmpty(returnUrl))
{
return(Redirect("~/"));
}
else
{
if (failIfUnknown)
{
// user might have clicked on a malicious link - should be logged
throw new Exception("invalid return URL");
}
else
{
// since we don't have a valid context, then we just go back to the home page
return(Redirect("~/"));
}
}
}
}