Fix for URL parsing from doeringp requires UrlDecode

[jesslilly]

Hi Alexej,

I think I did the pull request correctly this time. The fix you merged in from doeringp does not pass the unit tests I made. We must still call UrlDecode so that "new Uri" will work correctly. I did use doeringp's good idea to use a dummy.com host since it just makes the URI parsing easier and uses less code. Does not rely on parsing for a question mark.

Also I like having these tests. I the other tests in the solution do not cover this issue.

When I add decode back, the new tests pass.

Also, there should be a comment why we use a dummy URL.

Thank you. I hope this PR is merged. 😄

[616b2f]

Your tests did not pass because the URL you pass in your tests is not like it would be passed when you would use the library. It would be rather like this "/WsFederation?wtrealm=urn%3Aaspnetcorerp&wa=wsignin1.0&wreply=http%3A%2F%2Flocalhost%3A10314%2F&wctx=CfDJ8H09lVj2W7VEs5pRor8gYi8GmcbmE1K-5wiTeL1pozxPOJ3rkb-SeD5X-YzLYNtr1UrkAAHIkMyZaGNDJ2B_OVdO9KixFMcmiY2UGm7JXMbYM47UBM2-XgZFoSsEJGPO8eXVPGxiNBINF1fC2qjJ9MI9oYmHcLY79wz3lG0XcVFq5lR8CNiX6BAIRBWRZC7Wj3Ur1YmsH3DZXvtcRzxRKQN6_QytWYwRGA9_BEc7ezHjVae05RN4NdA165pd8IzYeg". You can try it yourself when you run the samples and step in with a debugger.

[jesslilly]

The strange thing is that I got the values directly from my debugger. I did "copy value".

[616b2f]

I think your IDE somehow URL encode the value, that's why it is wrong. If you think about it the "/WsFederation" is the path for the server to interpret, why should it be URL encoded?

[616b2f]

this is not necessary WsFederationMessage.FromUri() takes care of things that need to be decoded.

[616b2f]

agree on that 👍

[616b2f]

Thank you for your PR, I think your tests could be a good addition to our unit tests, here are really not much of them at the moment and I would be happy to merge if you resolve my concerns in comments.

[jesslilly]

No problem Alexej. I will try again.

[jesslilly]

Haha. Hi again @616b2f . For some reason I thought we were speaking different languages, but now I figured out why I get encoded URLs. It is because my IdentityServer implementation never decodes the URL before it is passed to IsValidReturnUrl. (I did not implement IdentityServer myself. I have inherited this project.)

In this picture you can see the encoded URL and it is passed as encoded all the way down the call stack.

I am surprised because the code for WebUtility.UrlDecode was in the source code before. So it must have been needed.

WsFederationMessage.FromUri does not decode by itself as seen in the implementation here:

https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/blob/bbf721fedca5dabc0d77e22828a5948be0d3fa86/src/Microsoft.IdentityModel.Protocols.WsFederation/WsFederationMessage.cs#L84

Also I added a throw new NotImplementedException(); as the first line in GetSignInRequestMessage. I cannot get the tests in WsFederationInterfaceTests to exercise that code. They still pass.

I'm not sure what to do now. I am finishing my day, so I will sleep on it.

Cordially,
Jess

[616b2f]

@jesslilly if you could remove the "WebUtility.UrlDecode" and change the URL in the test. I would love to merge your PR.

[jesslilly]

Hi Alexej, I'm sorry it has been so long, I have forgotten what this is about.

…

On Wed, Feb 9, 2022 at 3:07 AM Alexej Kowalew ***@***.***> wrote: @jesslilly <https://github.com/jesslilly> if you could remove the "WebUtility.UrlDecode" and change the URL in the test. I would love to merge your PR. — Reply to this email directly, view it on GitHub <#11 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAKXMGTV5QTWIIZH3VBKHJ3U2IOD5ANCNFSM4YMUXGZA> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>. You are receiving this because you were mentioned.Message ID: ***@***.***>

-- Kind Regards, Jess

[616b2f]

@jesslilly me too so don't worry :)