Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

InvalidOperationException: Invalid return url. The return url needs to have the same origin as the current page.

See original GitHub issue

I host my blazor webassembly application in sub-directory - https://localhost:5000/myapp

Base path is defined in index.html: <base href="/myapp/" />

I use identity server for authentication so there is link to authentication page from component NotLoggedIn.razor: <a href="authentication/login?returnUrl=@Uri.EscapeDataString(Navigation.Uri)">log in</a>

and authentication page

@page "/authentication/{action}"

<RemoteAuthenticatorView Action="@Action">
  ...
</RemoteAuthenticatorView>

@code{
    [Parameter] public string Action { get; set; }
}

When I navigate to https://localhost:5000/myapp/ it works as expected.

When I navigate to https://localhost:5000/myapp exception happens:

Microsoft.AspNetCore.Components.WebAssembly.Rendering.WebAssemblyRenderer[100] Unhandled exception rendering component: Invalid return url. The return url needs to have the same origin as the current page. System.InvalidOperationException: Invalid return url. The return url needs to have the same origin as the current page. at Microsoft.AspNetCore.Components.WebAssembly.Authentication.RemoteAuthenticatorViewCore1[TAuthenticationState].GetReturnUrl (TAuthenticationState state, System.String defaultReturnUrl) <0x333cda8 + 0x00098> in <filename unknown>:0 at Microsoft.AspNetCore.Components.WebAssembly.Authentication.RemoteAuthenticatorViewCore1[TAuthenticationState].OnParametersSetAsync () <0x333c238 + 0x001f0> in <filename unknown>:0 at Microsoft.AspNetCore.Components.ComponentBase.CallStateHasChangedOnAsyncCompletion (System.Threading.Tasks.Task task) <0x31b2bd8 + 0x000da> in <filename unknown>:0 at Microsoft.AspNetCore.Components.ComponentBase.RunInitAndSetParametersAsync () <0x2f63bf8 + 0x001d8> in <filename unknown>:0

This happens in method GetReturnUrl of RemoteAuthenticatorViewCore ln 346

    private string GetReturnUrl(TAuthenticationState state, string defaultReturnUrl = null)
    {
        if (state?.ReturnUrl != null)
        {
            return state.ReturnUrl;
        }

        var fromQuery = QueryStringHelper.GetParameter(new Uri(Navigation.Uri).Query, "returnUrl");
        if (!string.IsNullOrWhiteSpace(fromQuery) && !fromQuery.StartsWith(Navigation.BaseUri))
        {
            // This is an extra check to prevent open redirects.
            throw new InvalidOperationException("Invalid return url. The return url needs to have the same origin as the current page.");
        }

        return fromQuery ?? defaultReturnUrl ?? Navigation.BaseUri;
    }

Because base path defined with slash on the end but current path doesn’t contains slash the check: !fromQuery.StartsWith(Navigation.BaseUri) is true.

Unfortunately I cannot define base w/o slash on the end because it breaks navigation.

Issue Analytics

  • State:open
  • Created 3 years ago
  • Reactions:1
  • Comments:6 (3 by maintainers)

github_iconTop GitHub Comments

9reactions
dahoveycommented, Nov 14, 2020

I came across this error while also trying to nest a Blazor WebAssembly app within a sub-path using the ASP.NET Core hosting model.

A workaround was to modify the RedirectToLogin component, so that it ensures the sub-path includes the trailing slash. In below I am hosting WASM application from app sub-path as in http://localhost:5000/app/. From this documentation:

@inject NavigationManager Navigation

@code {
    protected override void OnInitialized()
    {
        var uri = Navigation.Uri;

        if (uri.EndsWith("/app"))
            uri += "/";

        Navigation.NavigateTo($"authentication/login?returnUrl={Uri.EscapeDataString(uri)}");
    }
}
5reactions
stephajncommented, Mar 4, 2022

I wanted to give this issue a bump because after two years, you’d think this might be addressed.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Blazor authentication with Azure Active Directory and ...
The return url needs to have the same origin as the current page. System.InvalidOperationException: Invalid return url. The return url needs ...
Read more >
ASP.Net Core hosted webassembly deployment issue. ...
I have followed this tutorial from learn.microsoft.com with single tenant authentication. It works fine in localhost.
Read more >
Custom User Management in ASP.NET Core MVC ...
We will build a small yet practical implementation of Custom User Management in ASP.NET Core MVC with Identity. This will cover most of...
Read more >
Orchestrator - Identity Server Troubleshooting
There may be situations when Identity Server throws error messages containing sensitive information. For example, if the certificate used to sign the access ......
Read more >
Redirecting back to the client
Beware open-redirect attacks via the returnUrl parameter. You should validate that the returnUrl refers to a well-known location. Either use the Url.IsLocalUrl ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Blazor Server AuthorizeView rendering NotAuthorized before AuthorizationHandler finishes executing

Next page

Kestrel Web Server returns 404 to all requests while using inherited Startup from another project (application, assembly). Net Core 3.1.