Bug 1413753 - Invalid Accept HTTP header generated during ECP flow
Summary: Invalid Accept HTTP header generated during ECP flow
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: python-keystoneauth1
Version: 11.0 (Ocata)
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: ---
Assignee: John Dennis
QA Contact: Shai Revivo
Depends On: 1413751
TreeView+ depends on / blocked
Reported: 2017-01-16 21:37 UTC by John Dennis
Modified: 2017-06-07 17:34 UTC (History)
6 users (show)

Fixed In Version: python-keystoneauth1-2.18.0-1.el7ost
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1413751
Last Closed: 2017-06-07 17:34:36 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Launchpad 1656946 0 None None None 2017-01-16 21:37:17 UTC

Description John Dennis 2017-01-16 21:37:18 UTC
+++ This bug was initially created as a clone of Bug #1413751 +++

During SAML ECP authentication 2 specially formatted HTTP headers *MUST* be included in the request in order for the SP (Service Provider) to recognize the client is ECP capable and to start the SAML ECP flow. One is the PAOS header and the other is the Accept header which must include the "application/vnd.paos+xml" media type. Media types in the Accept header are separated by a comma (,). Unfortunately keystoneauth uses a semicolon (;) as the media type separator. The HTTP spec reserves the semicolon in the Accept header to attach parameters to the media type. For example

Accept: type1;params1,type2;params2

Using a semicolon as a media type separator is syntactically invalid and can cause failures in servers that parse the Accept header. For example mod_auth_mellon emits this error message and fails to process the ECP request:

request supplied valid PAOS header but omitted PAOS media type in Accept header
have_paos_media_type=False valid_paos_header=True is_paos=False

This indicates only 1 of the 2 required conditions were met.

Comment 1 Nathan Kinder 2017-06-07 17:34:36 UTC
This was fixed in the initial 2.18.0 release upstream, which is the version that was shipped for OSP11.  Closing this as CURRENTRELEASE.

Note You need to log in before you can comment on or make changes to this bug.