Open Closed

Return URL from login double encoded but only once decoded #6495


User avatar
0
JorisIwell created
  • ABP Framework version: v7.4.2
  • UI Type: Angular
  • Database System: EF Core SQL Server
  • Tiered (for MVC) or Auth Server Separated (for Angular): no
  • Exception message and full stack trace: 404 page not found, no relevant stack trace as the 404 makes sense
  • Steps to reproduce the issue:

We recently upgraded from v5.x to 7.4.2 and started using openIddict as a replacement for identityserver. Steps: Log out of our application Go directly to a url with query parameters, e.g. https://myurl.com/cubes/monitoring?group=installed User is prompted to login User logs in User gets redirected to url with the returnUrl that is present in the login-request User does not get redirected to https://myurl.com/cubes/monitoring?group=installed but instead to https://myurl.com/cubes/monitoring%3Fgroup%3Dinstalled which messes up our routing resulting in a 404.

In the network tab of the developer tools of the browser we can see that the url that is used as the returnUrl of the https://api.myurl.com/Account/Login/.... is double encoded (returnUrl%3D%252Fcubes%252Fmonitoring%253Fgroup%253Dinstalled). Our suspicion is that this should not be the case and causes the user to be directed to the encoded version of our returnUrl. FYI, we do not use a custom AuthGuard, instead we use the @abp/ng.core AuthGuard. We highly suspect this behaviour was not present in our application before upgrading ABP (and angular).


6 Answer(s)
  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    Can you share a URL to reproduce this?

    liming.ma@volosoft.com

    Thanks

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    This is your angular oauth2 request.

    Is your code changing the state?

    I think you can decode the state to get the raw url.

    The request to angular

  • User Avatar
    0
    JorisIwell created

    I don't think we change the state anywhere. We use the standard ABP AuthGuard and OAuth flow so nothing custom on our end. Do you have any idea where we could find this problem in our code if we unbeknownst to us still add some customisation to this all?

  • User Avatar
    1
    maliming created
    Support Team Fullstack Developer

    hi

    I will ask our angular team.

  • User Avatar
    1
    masum.ulu created
    Support Team Angular Expert

    Hi joris,

    I've re-produce your case, I'll create issue and fix that, we might not release new patch version for 7.4.x yet I'll try to find workaround for that, after u upgrade project version to 8.0.latest you can remove workaround.

    I've refunded ur credits

    best regards

  • User Avatar
    0
    masum.ulu created
    Support Team Angular Expert

    Issue: https://github.com/abpframework/abp/issues/18804

Made with ❤️ on ABP v9.1.0-preview. Updated on November 11, 2024, 11:11