This check happens to be always invalid for me. The route for returnURL is registered in a nested router (using app.use from the main express app), and thus the assertionUrl.pathname option is not equal to receivedReturnUrl.pathname. I guess it is just a typo and should be fixed to the check against originalReturnUrl as in other places in the same if.
This check happens to be always invalid for me. The route for
returnURLis registered in a nested router (usingapp.usefrom the main express app), and thus theassertionUrl.pathnameoption is not equal toreceivedReturnUrl.pathname. I guess it is just a typo and should be fixed to the check againstoriginalReturnUrlas in other places in the sameif.