NWebsec's "A potentially dangerous redirect was detected" with Facebook logon

Question

I have read through NWebSec's documentation to try and resolve the problem.

Set the web.config to

  <nwebsec>
<httpHeaderSecurityModule
  xsi:noNamespaceSchemaLocation="NWebsecConfig/HttpHeaderSecurityModuleConfig.xsd"
  xmlns="http://nwebsec.com/HttpHeaderSecurityModuleConfig.xsd"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> 
<redirectValidation enabled="false">
  <allowSameHostRedirectsToHttps enabled="false"/>
  <add allowedDestination="https://www.facebook.com/"/>
  <add allowedDestination="http://www.nwebsec.com/"/>
  <add allowedDestination="https://www.google.com/accounts/"/>
</redirectValidation>
  <securityHttpHeaders>
    <strict-Transport-Security max-age="365" includeSubdomains="true" httpsOnly="false" preload="true" />
  </securityHttpHeaders>
</httpHeaderSecurityModule>

but I am still getting

A potentially dangerous redirect was detected. Add the destination to the whitelist in configuration if the redirect was intended. Offending redirect: https://www.facebook.com/dialog/oauth?response_type=code&

Answer 1

This came up in google before the answer, which is here: https://docs.nwebsec.com/en/latest/nwebsec/Redirect-validation.html

In summary you have to whitelist the URL which your login service refers to, like this:

   app.UseRedirectValidation(opts =>
        {
            opts.AllowedDestinations( "https://www.facebook.com/dialog/oauth");
            opts.AllowedDestinations("https://login.microsoftonline.com"); // Tested
        });