Description
Summary
My proposal is to make class RelativeRedirectUriValidator public in order to be able to inherrit it or use in another way other than default flow. It provide complex logic, which is hard to maintain in case of copying to your project.
Motivation and goals
In my project I faced problem when my identity server has two clients: one is SPA on Blazor, another is native application. For Blazor app I used default redirect uri validation, which is provided by standard AddApiAuthorization method. However, for native app I need ability to redirect to the localhost uris with random port.
I think best solution in my situation is to inherrit RelativeRedirectUriValidator with additional logic for allowing redirect uris if they are localhost and related to the native client.
Risks / unknowns
I don't think that it can create any problems, because of the fact that it is already using in default implementation.
Examples
public class LocalhostRedirectUriValidator : RelativeRedirectUriValidator
{
protected bool IsLocalhostRequest(IdentityServer4.Models.Client client, string requestedUri) =>
client.ClientId == "Native" && requestedUri.StartsWith("http://localhost:");
public override async Task<bool> IsRedirectUriValidAsync(string requestedUri, IdentityServer4.Models.Client client)
{
var isDefaulRequest = await base.IsRedirectUriValidAsync(requestedUri, client);
var isLocalhostRequest = IsLocalhostRequest(client, requestedUri);
return isDefaulRequest || isLocalhostRequest;
}
...
}