Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1413751 - Invalid Accept HTTP header generated during ECP flow
Summary: Invalid Accept HTTP header generated during ECP flow
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: python-keystoneauth1
Version: 10.0 (Newton)
Hardware: Unspecified
OS: Unspecified
Target Milestone: z3
: 10.0 (Newton)
Assignee: John Dennis
QA Contact: Prasanth Anbalagan
Depends On:
Blocks: 1413753
TreeView+ depends on / blocked
Reported: 2017-01-16 21:32 UTC by John Dennis
Modified: 2017-06-28 15:27 UTC (History)
5 users (show)

Fixed In Version: python-keystoneauth1-2.12.3-1.el7ost
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1413753 (view as bug list)
Last Closed: 2017-06-28 15:27:21 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Launchpad 1656946 0 None None None 2017-01-16 21:32:37 UTC
Red Hat Product Errata RHBA-2017:1587 0 normal SHIPPED_LIVE Red Hat OpenStack Platform 10 Bug Fix and Enhancement Advisory 2017-06-28 19:11:42 UTC

Description John Dennis 2017-01-16 21:32:37 UTC
During SAML ECP authentication 2 specially formatted HTTP headers *MUST* be included in the request in order for the SP (Service Provider) to recognize the client is ECP capable and to start the SAML ECP flow. One is the PAOS header and the other is the Accept header which must include the "application/vnd.paos+xml" media type. Media types in the Accept header are separated by a comma (,). Unfortunately keystoneauth uses a semicolon (;) as the media type separator. The HTTP spec reserves the semicolon in the Accept header to attach parameters to the media type. For example

Accept: type1;params1,type2;params2

Using a semicolon as a media type separator is syntactically invalid and can cause failures in servers that parse the Accept header. For example mod_auth_mellon emits this error message and fails to process the ECP request:

request supplied valid PAOS header but omitted PAOS media type in Accept header
have_paos_media_type=False valid_paos_header=True is_paos=False

This indicates only 1 of the 2 required conditions were met.

Comment 3 Prasanth Anbalagan 2017-06-26 16:47:28 UTC

Have a few questions about verifying this bug,

1) I suppose it needs to be tested on a Keystone Federation Setup using ECP client.
2) What is the command I need to use from the ECP client to verify the header?

Comment 8 errata-xmlrpc 2017-06-28 15:27:21 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.