Update to Auth0-ASPNET 2.1.0

Quickstart/00-Starter-Seed/auth0-aspnet-mvc4-sample/aspnet4-sample1/Controllers/AccountController.cs

@@ -0,0 +1,57 @@
+using Auth0.AuthenticationApi;
+using Auth0.AuthenticationApi.Models;
+using System;
+using System.Configuration;
+using System.Globalization;
+using System.IdentityModel.Services;
+using System.Web;
+using System.Web.Mvc;
+
+namespace aspnet4_sample1.Controllers
+{
+    public class AccountController : Controller
+    {
+        public ActionResult Login(string returnUrl)
+        {
+            var client = new AuthenticationApiClient(
+                new Uri(string.Format("https://{0}", ConfigurationManager.AppSettings["auth0:Domain"])));
+
+
+            var request = this.Request;
+            var redirectUri = new UriBuilder(request.Url.Scheme, request.Url.Host, this.Request.Url.IsDefaultPort ? -1 : request.Url.Port, "LoginCallback.ashx");
+
+            var authorizeUrlBuilder = client.BuildAuthorizationUrl()
+                .WithClient(ConfigurationManager.AppSettings["auth0:ClientId"])
+                .WithRedirectUrl(redirectUri.ToString())
+                .WithResponseType(AuthorizationResponseType.Code)
+                .WithScope("openid profile")
+                // adding this audience will cause Auth0 to use the OIDC-Conformant pipeline
+                // you don't need it if your client is flagged as OIDC-Conformant (Advance Settings | OAuth)
+                .WithAudience("https://" + @ConfigurationManager.AppSettings["auth0:Domain"] + "/userinfo");
+
+            if (!string.IsNullOrEmpty(returnUrl))
+            {
+                var state = "ru=" + HttpUtility.UrlEncode(returnUrl);
+                authorizeUrlBuilder.WithState(state);
+            }
+
+            return new RedirectResult(authorizeUrlBuilder.Build().ToString());
+        }
+
+        public ActionResult Logout()
+        {
+            FederatedAuthentication.SessionAuthenticationModule.SignOut();
+
+            // Redirect to Auth0's logout endpoint.
+            // After terminating the user's session, Auth0 will redirect to the 
+            // returnTo URL, which you will have to add to the list of allowed logout URLs for the client.
+            var returnTo = Url.Action("Index", "Home", null, protocol: Request.Url.Scheme);
+            return Redirect(
+              string.Format(CultureInfo.InvariantCulture,
+                "https://{0}/v2/logout?returnTo={1}&client_id={2}",
+                ConfigurationManager.AppSettings["auth0:Domain"],
+                Server.UrlEncode(returnTo),
+                ConfigurationManager.AppSettings["auth0:ClientId"]));
+        }
+    }
+}

Quickstart/00-Starter-Seed/auth0-aspnet-mvc4-sample/aspnet4-sample1/Controllers/HomeController.cs

@@ -30,19 +30,5 @@ public ActionResult Contact()
 
             return View();
         }
-
-        public ActionResult Logout()
-        {
-            FederatedAuthentication.SessionAuthenticationModule.SignOut();
-
-            // Redirect to Auth0's logout endpoint
-            var returnTo = Url.Action("Index", "Home", null, protocol: Request.Url.Scheme);
-            return Redirect(
-              string.Format(CultureInfo.InvariantCulture,
-                "https://{0}/v2/logout?returnTo={1}&client_id={2}",
-                ConfigurationManager.AppSettings["auth0:Domain"],
-                Server.UrlEncode(returnTo),
-                ConfigurationManager.AppSettings["auth0:ClientId"]));
-        }
     }
 }

Quickstart/00-Starter-Seed/auth0-aspnet-mvc4-sample/aspnet4-sample1/LoginCallback.ashx.cs

@@ -58,10 +58,17 @@ public override async Task ProcessRequestAsync(HttpContext context)
             //       You can choose your own mechanism to keep the user authenticated (FormsAuthentication, Session, etc.)
             FederatedAuthentication.SessionAuthenticationModule.CreateSessionCookie(user);
 
-            if (context.Request.QueryString["state"] != null && context.Request.QueryString["state"].StartsWith("ru="))
+            var state = context.Request.QueryString["state"];
+            if (state != null)
             {
-                var state = HttpUtility.ParseQueryString(context.Request.QueryString["state"]);
-                context.Response.Redirect(state["ru"], true);
+                var stateValues = HttpUtility.ParseQueryString(context.Request.QueryString["state"]);
+                var redirectUrl = stateValues["ru"];
+
+                // check for open redirection
+                if (redirectUrl != null && IsLocalUrl(redirectUrl))
+                {
+                    context.Response.Redirect(redirectUrl, true);
+                }
             }
 
             context.Response.Redirect("/");
@@ -71,5 +78,13 @@ public bool IsReusable
         {
             get { return false; }
         }
+
+        private bool IsLocalUrl(string url)
+        {
+            return !String.IsNullOrEmpty(url)
+                && url.StartsWith("/")
+                && !url.StartsWith("//")
+                && !url.StartsWith("/\\");
+        }
     }
 }

Quickstart/00-Starter-Seed/auth0-aspnet-mvc4-sample/aspnet4-sample1/Scripts/_references.js

@@ -1,5 +1,5 @@
-/// <reference path="modernizr-2.8.3.js" />
-/// <reference path="jquery-3.1.1.js" />
+/// <reference path="jquery-3.2.1.js" />
+/// <reference path="modernizr-2.8.3.js" />
 /// <autosync enabled="true" />
 /// <reference path="jquery.validate.js" />
 /// <reference path="jquery.validate.unobtrusive.js" />