I have asp.net core 2.1 app with open id connect authentication:
services.AddAuthentication(...)
.AddCookie(...)
.AddOpenIdConnect(...);
When unauthenticated user visits url: /path?somequery#somehashfragment
, it is redirected to authentication providers's login page and than back to /path?somequery
, but the hash fragment is stripped out.
URL hash fragments do not go out of the browser. That mean if you put a hash fragment to a URL in your browser and visit it, fragment won't reach the server end. Solution would be to make this parameter a query parameter.
From OIDC perspective this is used for implicit flow to prevent token stealing. This is highlighted in specification's Implicit Flow Threats section.
Collected from the Internet
Please contact [email protected] to delete if infringement.
Comments