Resturn url should always be relative

[JJong-nl]

openiddict-samples/samples/Dantooine/Dantooine.WebAssembly.Client/Services/HostAuthenticationStateProvider.cs

Lines 35 to 41 in b3e7e2b

	public void SignIn(string? customReturnUrl = null)
	{
	var returnUrl = customReturnUrl != null ? _navigation.ToAbsoluteUri(customReturnUrl).ToString() : null;
	var encodedReturnUrl = Uri.EscapeDataString(returnUrl ?? _navigation.Uri);
	var logInUrl = _navigation.ToAbsoluteUri($"{LogInPath}?returnUrl={encodedReturnUrl}");
	_navigation.NavigateTo(logInUrl.ToString(), true);
	}

        var encodedReturnUrl = Uri.EscapeDataString(_navigation.ToBaseRelativePath(returnUrl ?? _navigation.Uri));
        var logInUrl = _navigation.ToAbsoluteUri($"{LogInPath}?returnUrl=/{encodedReturnUrl}");

slash + _navigation.ToBaseRelativePath

otherwise problem in login (Url.IsLocalUrl)

openiddict-samples/samples/Dantooine/Dantooine.WebAssembly.Server/Controllers/AuthenticationController.cs

Lines 12 to 23 in b3e7e2b

	[HttpGet("~/login")]
	public ActionResult LogIn(string returnUrl)
	{
	var properties = new AuthenticationProperties
	{
	// Only allow local return URLs to prevent open redirect attacks.
	RedirectUri = Url.IsLocalUrl(returnUrl) ? returnUrl : "/"
	};
	// Ask the OpenIddict client middleware to redirect the user agent to the identity provider.
	return Challenge(properties, OpenIddictClientAspNetCoreDefaults.AuthenticationScheme);
	}

[kevinchalet]

Nice catch! Feel free to send a PR to address that 👍🏻

Note: that sample was contributed some time ago by @damienbod (thanks again, Damien! ❤️).
It's likely Blazor has changed significantly since it was merged so maybe someone with an expert eye should make a global pass and determine whether specific parts should be updated/revamped?

Cheers.

[damienbod]

Yes, there are some big changes :) I plan an update.