3

When I use OpenIdConnect I have a problem in a OpenIdConnectHandler (394 line)

So, I use a cyrillic domain http://грант-лев.рф (just for example) and redirect URI in OpenIdConnectHandler looks incorrect:

The redirect URI is not well-formed. The URI is: 'http://грант-лев.рф:5000/connect/authorize?client_id=RosgrantService&redirect_uri=http%3A%2F%2Fxn----7sbhbm9amwu.xn--p1ai%3A5002%2Fsignin-oidc&

Seems, punycode like here redirect_uri=http%3A%2F%2Fxn----7sbhbm9amwu.xn--p1ai would be good, but I dont know where I can handle it.

Moreover, after this warning I catch an exception in kestrel

System.InvalidOperationException: Invalid non-ASCII or control character in header: 0x0433    
at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.FrameHeaders.ThrowInvalidHeaderCharacter(Char ch)    
at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.FrameHeaders.ValidateHeaderCharacters(String headerCharacters)    
at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.FrameHeaders.ValidateHeaderCharacters(StringValues headerValues)
    ....

So, how can I turn my cyrillic domain to punycode to prevent warning and a Kestrel craching in OpenIdConnectHandler?

UPDATE: It could be useful https://github.com/aspnet/Security/issues/1646

Also I've solved a problem by using some workaround http://amilspage.com/set-identityserver4-url-behind-loadbalancer/

Lev Nikolaevich
  • 33
  • 3

1 Answers1

1

Issue is with internationalised domain name you are using.

tldr; OpenID Connect does not allow IDN in redirect URI.

Explanation

OpenID Connect is built on top of OAuth 2.0. Because of that, it inherit key protocol definitions from OAuth 2.0. Below is an extraction of the definition for redirect endpoint

3.1.2. Redirection Endpoint

The redirection endpoint URI MUST be an absolute URI as defined by RFC3986 Section 4.3.

According to OAuth 2.0 definition, you cannot use internationalised redirect endpoint since its definition is based on RFC3986 (as shown above)

Now here is the extraction from RFC3986 about characters allowed in URI,

Characters

The ABNF notation defines its terminal values to be non-negative integers (codepoints) based on the US-ASCII coded character set [ASCII]. Because a URI is a sequence of characters, we must invert that relation in order to understand the URI syntax. Therefore, the integer values used by the ABNF must be mapped back to their corresponding characters via US-ASCII in order to complete the syntax rules.

If you want to convert IDN to valid ASCII, you may use IdnMapping class to do the mapping. This question explains how to use it.

Issues with IDN for OpenID Connect/OAuth 2.0

In OAuth 2.0, you need to validate the redirect URI. So if you are using a IDN, you need to convert it and store it at authorization server. This way you solve one issue, you authorization server would accept redirect uri comes in.

But response for authorization request could be problematic. From your client application, you are using a IDN. But you have registered ASCII value of your redirect endpoint to comply with protocol definition. When authorization server respond back, your client application cannot receive the response as there is no redirection endpoint matching to ASCII value.

If your authorisation server could handle punycode conversions, then problem could be solved in customised manner. But if it can't, only option is to use ASCII based redirection endpoint.

Community
  • 1
  • 1
Kavindu Dodanduwa
  • 12,193
  • 3
  • 33
  • 46
  • Thank you for your reply! I use IdentityServer4. Could you advice me, please, how can handle this situation there? – Lev Nikolaevich Feb 13 '18 at 07:18
  • @LevNikolaevich my answers last part explain the complication you are facing. You are using an internationalised domain name(IDN) which is not valid for OpenID Connect (OIDC). And your identity server does not allow IDN. That's why you are getting a validation error. So you might need to have a redirect endpoint without internationalisation. – Kavindu Dodanduwa Feb 13 '18 at 11:29