Avoid manually using UrlEncoder.Encode() to prevent the state from being encoded twice

Author: kevinchalet

samples/Mvc.Client/Startup.cs

@@ -37,31 +37,31 @@ public void Configure(IApplicationBuilder app)
                 LogoutPath = new PathString("/signout")
             });
 
-            app.UseOpenIdAuthentication(new OpenIdAuthenticationOptions
+            app.UseOpenIdAuthentication(options =>
             {
-                AuthenticationScheme = "Orange",
-                DisplayName = "Orange",
-                Authority = new Uri("https://orange.fr/"),
-                CallbackPath = new PathString("/signin-orange")
+                options.AuthenticationScheme = "Orange";
+                options.DisplayName = "Orange";
+                options.Authority = new Uri("https://openid.orange.fr/");
+                options.CallbackPath = new PathString("/signin-orange");
             });
 
-            app.UseOpenIdAuthentication(new OpenIdAuthenticationOptions
+            app.UseOpenIdAuthentication(options =>
             {
-                AuthenticationScheme = "StackExchange",
-                DisplayName = "StackExchange",
-                Authority = new Uri("https://openid.stackexchange.com/"),
-                CallbackPath = new PathString("/signin-stackexchange")
+                options.AuthenticationScheme = "StackExchange";
+                options.DisplayName = "StackExchange";
+                options.Authority = new Uri("https://openid.stackexchange.com/");
+                options.CallbackPath = new PathString("/signin-stackexchange");
             });
 
-            app.UseOpenIdAuthentication(new OpenIdAuthenticationOptions
+            app.UseOpenIdAuthentication(options =>
             {
-                AuthenticationScheme = "Intuit",
-                DisplayName = "Intuit",
-                CallbackPath = new PathString("/signin-intuit"),
-                Configuration = new OpenIdAuthenticationConfiguration
+                options.AuthenticationScheme = "Intuit";
+                options.DisplayName = "Intuit";
+                options.CallbackPath = new PathString("/signin-intuit");
+                options.Configuration = new OpenIdAuthenticationConfiguration
                 {
                     AuthenticationEndpoint = "https://openid.intuit.com/OpenId/Provider"
-                }
+                };
             });
 
             app.UseSteamAuthentication();

src/AspNet.Security.OpenId/OpenIdAuthenticationExtensions.cs

@@ -13,16 +13,16 @@ namespace Microsoft.AspNetCore.Builder
 {
     /// <summary>
     /// Exposes convenient extensions that can be used to add an instance
-    /// of the OpenID authentication middleware in an ASP.NET 5 pipeline.
+    /// of the OpenID authentication middleware in an ASP.NET Core pipeline.
     /// </summary>
     public static class OpenIdAuthenticationExtensions
     {
         /// <summary>
         /// Adds <see cref="OpenIdAuthenticationMiddleware{TOptions}"/> to the specified
-        /// <see cref="IApplicationBuilder"/>, which enables OpenID2 authentication capabilities.
+        /// <see cref="IApplicationBuilder"/>, which enables OpenID 2.0 authentication capabilities.
         /// </summary>
         /// <param name="app">The <see cref="IApplicationBuilder"/>.</param>
-        /// <param name="options">The <see cref="OpenIdAuthenticationOptions"/> used to configure the OAuth2 options.</param>
+        /// <param name="options">The <see cref="OpenIdAuthenticationOptions"/> used to configure the OpenID 2.0 options.</param>
         /// <returns>The <see cref="IApplicationBuilder"/>.</returns>
         public static IApplicationBuilder UseOpenIdAuthentication(
             [NotNull] this IApplicationBuilder app,
@@ -43,10 +43,10 @@ public static IApplicationBuilder UseOpenIdAuthentication(
 
         /// <summary>
         /// Adds <see cref="OpenIdAuthenticationMiddleware{TOptions}"/> to the specified
-        /// <see cref="IApplicationBuilder"/>, which enables OpenID2 authentication capabilities.
+        /// <see cref="IApplicationBuilder"/>, which enables OpenID 2.0 authentication capabilities.
         /// </summary>
         /// <param name="app">The <see cref="IApplicationBuilder"/>.</param>
-        /// <param name="configuration">The delegate used to configure the OAuth2 options.</param>
+        /// <param name="configuration">The delegate used to configure the OpenID 2.0 options.</param>
         /// <returns>The <see cref="IApplicationBuilder"/>.</returns>
         public static IApplicationBuilder UseOpenIdAuthentication(
             [NotNull] this IApplicationBuilder app,

src/AspNet.Security.OpenId/OpenIdAuthenticationHandler.cs

@@ -259,8 +259,6 @@ protected override async Task<bool> HandleUnauthorizedAsync(ChallengeContext con
             // Generate a new anti-forgery token.
             GenerateCorrelationId(properties);
 
-            var state = UrlEncoder.Encode(Options.StateDataFormat.Protect(properties));
-
             // Create a new message containing the OpenID 2.0 request parameters.
             // See http://openid.net/specs/openid-authentication-2_0.html#requesting_authentication
             var message = new OpenIdAuthenticationMessage
@@ -272,7 +270,8 @@ protected override async Task<bool> HandleUnauthorizedAsync(ChallengeContext con
                 Realm = realm,
                 ReturnTo = QueryHelpers.AddQueryString(
                     uri: properties.Items[OpenIdAuthenticationConstants.Properties.ReturnTo],
-                    name: OpenIdAuthenticationConstants.Parameters.State, value: state)
+                    name: OpenIdAuthenticationConstants.Parameters.State,
+                    value: Options.StateDataFormat.Protect(properties))
             };
 
             if (Options.Attributes.Count != 0)
@@ -355,8 +354,10 @@ private async Task<bool> VerifyAssertionAsync([NotNull] OpenIdAuthenticationMess
             }
 
             // Create a new check_authentication request to verify the assertion.
-            var request = new HttpRequestMessage(HttpMethod.Post, configuration.AuthenticationEndpoint);
-            request.Content = new FormUrlEncodedContent(payload);
+            var request = new HttpRequestMessage(HttpMethod.Post, configuration.AuthenticationEndpoint)
+            {
+                Content = new FormUrlEncodedContent(payload)
+            };
 
             var response = await Options.HttpClient.SendAsync(request, HttpCompletionOption.ResponseHeadersRead, Context.RequestAborted);
             if (!response.IsSuccessStatusCode)