AndersAbel
commented
3 weeks ago The purpose of the IReturnUrlValidator is to prevent an open redirect on the login endpoint. If you have made customizations which include other means to ensure that there is not an open redirect you might disable the IReturnUrlValidator. But it is nothing I would recommend, it's better to be safe than sorry.
I would also like to comment on using the BFF in a multi tenant, multi host scenario: It is nothing that we officially support. Based on how the OpenIdConnect handler works it is hard to get a working solution which does contain race conditions that could mix up tenants.
greg-signi
Which version of Duende BFF are you using? 2.1.1
Do you see any issues with disabling the FrontendHostReturnUrlValidator ? Since we are implementing a multi-tenant BFF, we are already using custom domain logic and lookups dynamically, and it doesn't really do us much having this validator from our pov.. Do you see any potential issues / security threats ?
Thanks for your time