InvalidOperationException: Invalid return url. The return url needs to have the same origin as the current page.

[michaeldz]

I host my blazor webassembly application in sub-directory - https://localhost:5000/myapp

Base path is defined in index.html: <base href="/myapp/" />

I use identity server for authentication so there is link to authentication page from component NotLoggedIn.razor: <a href="authentication/login?returnUrl=@Uri.EscapeDataString(Navigation.Uri)">log in</a>

and authentication page

@page "/authentication/{action}"

<RemoteAuthenticatorView Action="@Action">
  ...
</RemoteAuthenticatorView>

@code{
    [Parameter] public string Action { get; set; }
}

When I navigate to https://localhost:5000/myapp/ it works as expected.

When I navigate to https://localhost:5000/myapp exception happens:

Microsoft.AspNetCore.Components.WebAssembly.Rendering.WebAssemblyRenderer[100] Unhandled exception rendering component: Invalid return url. The return url needs to have the same origin as the current page. System.InvalidOperationException: Invalid return url. The return url needs to have the same origin as the current page. at Microsoft.AspNetCore.Components.WebAssembly.Authentication.RemoteAuthenticatorViewCore1[TAuthenticationState].GetReturnUrl (TAuthenticationState state, System.String defaultReturnUrl) <0x333cda8 + 0x00098> in <filename unknown>:0 at Microsoft.AspNetCore.Components.WebAssembly.Authentication.RemoteAuthenticatorViewCore1[TAuthenticationState].OnParametersSetAsync () <0x333c238 + 0x001f0> in :0 at Microsoft.AspNetCore.Components.ComponentBase.CallStateHasChangedOnAsyncCompletion (System.Threading.Tasks.Task task) <0x31b2bd8 + 0x000da> in :0 at Microsoft.AspNetCore.Components.ComponentBase.RunInitAndSetParametersAsync () <0x2f63bf8 + 0x001d8> in :0

This happens in method GetReturnUrl of RemoteAuthenticatorViewCore ln 346

    private string GetReturnUrl(TAuthenticationState state, string defaultReturnUrl = null)
    {
        if (state?.ReturnUrl != null)
        {
            return state.ReturnUrl;
        }

        var fromQuery = QueryStringHelper.GetParameter(new Uri(Navigation.Uri).Query, "returnUrl");
        if (!string.IsNullOrWhiteSpace(fromQuery) && !fromQuery.StartsWith(Navigation.BaseUri))
        {
            // This is an extra check to prevent open redirects.
            throw new InvalidOperationException("Invalid return url. The return url needs to have the same origin as the current page.");
        }

        return fromQuery ?? defaultReturnUrl ?? Navigation.BaseUri;
    }

Because base path defined with slash on the end but current path doesn't contains slash the check: !fromQuery.StartsWith(Navigation.BaseUri) is true.

Unfortunately I cannot define base w/o slash on the end because it breaks navigation.

[ghost]

Thanks for contacting us. We're moving this issue to the Next sprint planning milestone for future evaluation / consideration. We will evaluate the request when we are planning the work for the next milestone. To learn more about what to expect next and how this issue will be handled you can read more about our triage process here.

[ghost]

We've moved this issue to the Backlog milestone. This means that it is not going to be worked on for the coming release. We will reassess the backlog following the current release and consider this item at that time. To learn more about our issue management process and to have better expectation regarding different types of issues you can read our Triage Process.

[dahovey]

I came across this error while also trying to nest a Blazor WebAssembly app within a sub-path using the ASP.NET Core hosting model.

A workaround was to modify the RedirectToLogin component, so that it ensures the sub-path includes the trailing slash. In below I am hosting WASM application from app sub-path as in http://localhost:5000/app/. From this documentation:

@inject NavigationManager Navigation

@code {
    protected override void OnInitialized()
    {
        var uri = Navigation.Uri;

        if (uri.EndsWith("/app"))
            uri += "/";

        Navigation.NavigateTo($"authentication/login?returnUrl={Uri.EscapeDataString(uri)}");
    }
}

[stephajn]

I wanted to give this issue a bump because after two years, you'd think this might be addressed.

[ghost]

Thanks for contacting us. We're moving this issue to the .NET 8 Planning milestone for future evaluation / consideration. Because it's not immediately obvious that this is a bug in our framework, we would like to keep this around to collect more feedback, which can later help us determine the impact of it. We will re-evaluate this issue, during our next planning meeting(s). If we later determine, that the issue has no community involvement, or it's very rare and low-impact issue, we will close it - so that the team can focus on more important and high impact issues. To learn more about what to expect next and how this issue will be handled you can read more about our triage process here.

[harlam357]

Same setup using Blazor Hosted in a sub-path with Identity Server. Same issue.

Looking into the workaround from @dahovey

[ghost]

Thanks for contacting us.

We're moving this issue to the .NET 9 Planning milestone for future evaluation / consideration. We would like to keep this around to collect more feedback, which can help us with prioritizing this work. We will re-evaluate this issue, during our next planning meeting(s). If we later determine, that the issue has no community involvement, or it's very rare and low-impact issue, we will close it - so that the team can focus on more important and high impact issues. To learn more about what to expect next and how this issue will be handled you can read more about our triage process here.

[ghost]

Thanks for contacting us.

We're moving this issue to the .NET 9 Planning milestone for future evaluation / consideration. We would like to keep this around to collect more feedback, which can help us with prioritizing this work. We will re-evaluate this issue, during our next planning meeting(s). If we later determine, that the issue has no community involvement, or it's very rare and low-impact issue, we will close it - so that the team can focus on more important and high impact issues. To learn more about what to expect next and how this issue will be handled you can read more about our triage process here.