Bug 1410938

Summary: Using default ports produces bad request error
Product: [Fedora] Fedora Reporter: John Dennis <jdennis>
Component: keycloak-httpd-client-installAssignee: John Dennis <jdennis>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 24CC: jdennis
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: keycloak-httpd-client-install-0.5-1.fc24 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1410940 1414152 1414154 1414156 (view as bug list) Environment:
Last Closed: 2017-01-16 20:49:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1410940, 1414152, 1414154, 1414156    

Description John Dennis 2017-01-06 21:33:08 UTC 
Explicitly specifying a default port (e.g. http://example.com:80 or
https://example.com:443) will cause Mellon to fail. This occurs
because the port gets embedded into the location URL for each endpoint
in the SP metadata (e.g the Assertion Consumer Service). The IdP sets
the Destination attribute in the SAML response by looking it up in the
SP metadata, thus the Destination will have the default port in it
(e.g. 443). Upon receiving the SAML response the SP compares the URL
of the request to the Destination attribute in the SAML response, they
must match for the response to be considered valid. However when
Mellon asks Apache what the request URL was it won't have the port in
it thus the URL comparison fails causing the server to return a 503
Bad Request error. So why is the port absent? It turns out that most
(all?) browsers will strip the port from a URL if it matches the port
for the scheme (e.g. 80 for http and 443 for https). Thus even if you
include the port in the URL it will never be included in the URL the
browser emits. This also includes stripping the port from the HTTP
host header (which Apache uses to reconstruct the URL).

The fix is to have keycloak-httpd-client-install recognize when a
default port has been specified and remove it from the mellon host
URL so it does not get embedded into any of the SAML endpoints.
Comment 1 Fedora Update System 2017-01-06 23:05:29 UTC 
keycloak-httpd-client-install-0.5-1.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2017-d3ca5b534b
Comment 2 Fedora Update System 2017-01-08 01:19:38 UTC 
keycloak-httpd-client-install-0.5-1.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-d3ca5b534b
Comment 3 Fedora Update System 2017-01-16 20:49:45 UTC 
keycloak-httpd-client-install-0.5-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.