Relax same origin checks

josephdecock · josephdecock · commit a57c481198ac · 2026-04-01T09:52:49.000-05:00
diff --git a/IdentityServer/v7/CIMD/CIMD.IdentityServer/McpCimdPolicy.cs b/IdentityServer/v7/CIMD/CIMD.IdentityServer/McpCimdPolicy.cs
@@ -7,9 +7,6 @@ namespace CIMD.IdentityServer;
 /// CIMD policy that ensures all CIMD clients receive the scopes needed to
 /// access our protected resources. CIMD documents (e.g., VS Code's) typically
 /// don't declare any scopes, so this policy adds them server-side.
-///
-/// Also validates that redirect URIs share the same origin as the client_id,
-/// as recommended by CIMD spec section 6.1.
 /// </summary>
 internal sealed class McpCimdPolicy : ICimdPolicy
 {
@@ -29,16 +26,22 @@ public Task<CimdPolicyResult> ValidateDocumentAsync(
         CancellationToken ct) =>
         Task.FromResult(CimdPolicyResult.Allow);
 
-    public Task<CimdPolicyResult> ValidateRedirectUriAsync(Uri redirectUri, CimdRequestContext context, CancellationToken ct)
-    {
-        var clientUri = context.ClientUri;
+    public Task<CimdPolicyResult> ValidateRedirectUriAsync(Uri redirectUri, CimdRequestContext context, CancellationToken ct) =>
+        // Per CIMD section 6.1, the authorization server MAY restrict
+        // redirect URIs to the same origin as the client_id. This sample allows
+        // all redirect URIs so that loopback-based clients (e.g., VS Code) work
+        // out of the box. To enable same-origin enforcement, uncomment below:
+        //
+        // var clientUri = context.ClientUri;
+        // var sameOrigin = string.Equals(redirectUri.Scheme, clientUri.Scheme, StringComparison.OrdinalIgnoreCase)
+        //     && string.Equals(redirectUri.Host, clientUri.Host, StringComparison.OrdinalIgnoreCase)
+        //     && redirectUri.Port == clientUri.Port;
+        //
+        // if (!sameOrigin)
+        // {
+        //     return Task.FromResult(
+        //         CimdPolicyResult.Deny($"Redirect URI '{redirectUri}' does not share the same origin as the client_id '{clientUri}'."));
+        // }
 
-        var sameOrigin = string.Equals(redirectUri.Scheme, clientUri.Scheme, StringComparison.OrdinalIgnoreCase)
-            && string.Equals(redirectUri.Host, clientUri.Host, StringComparison.OrdinalIgnoreCase)
-            && redirectUri.Port == clientUri.Port;
-
-        return Task.FromResult(sameOrigin
-            ? CimdPolicyResult.Allow
-            : CimdPolicyResult.Deny($"Redirect URI '{redirectUri}' does not share the same origin as the client_id '{clientUri}'."));
-    }
+        Task.FromResult(CimdPolicyResult.Allow);
 }
