bad use of dictonary key in OAuthAuthorizationServerHandler class?

Apr 23, 2015 at 4:06 AM

In the class OAuthAuthorizationServerHandler there is a code like this one:
signin.Properties.Dictionary[Constants.Extra.ClientId] = _authorizeEndpointRequest.ClientId;
if (!string.IsNullOrEmpty(_authorizeEndpointRequest.RedirectUri))
   // keep original request parameter for later comparison
   signin.Properties.Dictionary[Constants.Extra.RedirectUri] = _authorizeEndpointRequest.RedirectUri;
where the value of Constants.Extra.RedirectUri is redirect_uri but in the class AuthenticationProperties (signin is an instance of this class) the key to access the redirect uri value is .redirect

So, the value for the redirect_uri is never updated in signin.Properties part.

is this a bug?

My code crash because my ticket never has a redirect_uri value.
Apr 25, 2015 at 3:23 PM

This code is perfectly valid: remember that - despite its name - AuthenticationProperties.RedirectUri doesn't represent the OAuth2 redirect_uri parameter (aka "callback URL") but the final location the user agent will be redirect to after the whole authorization process (your home page, your profile page, etc.).

AuthorizeEndpointRequest.RedirectUri (which represents the OAuth2 redirect_uri parameter) is guarded against null values in InvokeAuthorizeEndpointAsync and is used later by the token endpoint to ensure requests are made using the same redirect_uri than the one used to get an authorization code.

TL;DR: don't try to use redirect_uri from your own code.