Version 2025.1 (102418)
To reproduce the issue just create a new Blazor Web App project in VS, target .NET 9 and set the Authentication Type to Individual Accounts. Set it to Blazor server as well.
Now scan it and you’ll find that SonarQube complains about an open redirect (S5146) in IdentityRedirectManager.cs.
Yet if you look at the source generated…
[DoesNotReturn]
public void RedirectTo(string? uri)
{
uri ??= "";
// Prevent open redirects.
if (!Uri.IsWellFormedUriString(uri, UriKind.Relative))
{
uri = navigationManager.ToBaseRelativePath(uri);
}
// During static rendering, NavigateTo throws a NavigationException which is handled by the framework as a redirect.
// So as long as this is called from a statically rendered Identity component, the InvalidOperationException is never thrown.
navigationManager.NavigateTo(uri);
throw new InvalidOperationException($"{nameof(IdentityRedirectManager)} can only be used during static rendering.");
}
It is explicitly being checked for open redirects by changing any non-relative uri to a relative uri so this appears to be a false positive.