ASP.NET Core2: Add current request url if no ReturnUrl

- Fixes #879
Sustainsys · Mar 29, 2018 · 1308402 · 1308402
1 parent a9d6dc0
commit 1308402
Show file tree

Hide file tree

Showing 2 changed files with 42 additions and 3 deletions.
diff --git a/Sustainsys.Saml2.AspNetCore2/Saml2Handler.cs b/Sustainsys.Saml2.AspNetCore2/Saml2Handler.cs
@@ -65,6 +65,15 @@ public Task<AuthenticateResult> AuthenticateAsync()
             throw new NotImplementedException();
         }
 
+        private string CurrentUri
+        {
+            get => context.Request.Scheme + "://" 
+                + context.Request.Host 
+                + context.Request.PathBase 
+                + context.Request.Path 
+                + context.Request.QueryString;
+        }
+
         /// <InheritDoc />
         public async Task ChallengeAsync(AuthenticationProperties properties)
         {
@@ -74,7 +83,7 @@ public async Task ChallengeAsync(AuthenticationProperties properties)
             }
 
             // Don't serialize the return url twice, move it to our location.
-            var redirectUri = properties.RedirectUri;
+            var redirectUri = properties.RedirectUri ?? CurrentUri;
             properties.RedirectUri = null;
 
             var requestData = context.ToHttpRequestData(null);

diff --git a/Tests/AspNetCore2.Tests/Saml2HandlerTests.cs b/Tests/AspNetCore2.Tests/Saml2HandlerTests.cs
@@ -78,13 +78,12 @@ public AuthenticationScheme AuthenticationScheme
         }
 
         [TestMethod]
-        public async Task Saml2Handler_RedirectsToDefaultIdpOnChallenge()
+        public async Task Saml2Handler_ChallengeAsync_RedirectsToDefaultIdp()
         {
             var context = new Saml2HandlerTestContext();
 
             var authProps = new AuthenticationProperties()
             {
-                IssuedUtc = new DateTimeOffset(new DateTime(2017, 09, 30)),
                 RedirectUri = "https://sp.example.com/LoggedIn"
             };
 
@@ -111,6 +110,37 @@ public async Task Saml2Handler_RedirectsToDefaultIdpOnChallenge()
             state.RelayData.Values.Should().NotContain("https://sp.example.com/LoggedIn");
         }
 
+        [TestMethod]
+        public async Task Saml2Handler_ChallengeAsync_UsesCurrentUrlAsReturnUrlIfAuthPropsAreEmpty()
+        {
+            var context = new Saml2HandlerTestContext();
+
+            var authProps = new AuthenticationProperties();
+
+            var response = context.HttpContext.Response;
+
+            string cookieData = null;
+            response.Cookies.Append(
+                Arg.Any<string>(),
+                Arg.Do<string>(v => cookieData = v),
+                Arg.Any<CookieOptions>());
+
+            await context.Subject.ChallengeAsync(authProps);
+
+            response.StatusCode.Should().Be(303);
+            response.Headers["Location"].Single()
+                .Should().StartWith("https://idp.example.com/sso?SAMLRequest=");
+
+            var state = new StoredRequestState(StubDataProtector.Unprotect(
+                HttpRequestData.GetBinaryData(cookieData)));
+
+            state.ReturnUrl.OriginalString.Should().Be("https://sp.example.com/somePath?param=value");
+
+            // Don't dual-store the return-url.
+            state.RelayData.Values.Should().NotContain("https://sp.example.com/somePath?param=value");
+        }
+
+
         [TestMethod]
         public async Task Saml2Handler_Acs_Works()
         {