Bug 1415898 - keystoneauth generates invalid Accept HTTP header Edit [NEEDINFO]
Summary: keystoneauth generates invalid Accept HTTP header Edit
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: python-keystoneauth1
Version: 10.0 (Newton)
Hardware: Unspecified
OS: Unspecified
Target Milestone: z2
: 10.0 (Newton)
Assignee: John Dennis
QA Contact: Rodrigo Duarte
Depends On:
TreeView+ depends on / blocked
Reported: 2017-01-24 02:55 UTC by John Dennis
Modified: 2017-03-01 13:38 UTC (History)
6 users (show)

Fixed In Version: python-keystoneauth1-2.12.2-2.el7ost
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2017-03-01 13:38:42 UTC
Target Upstream Version:
mlopes: needinfo? (jdennis)

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Launchpad 1656946 0 None None None 2017-01-24 03:02:35 UTC
Red Hat Product Errata RHBA-2017:0355 0 normal SHIPPED_LIVE Red Hat OpenStack Platform 10 Bug Fix and Enhancement Advisory 2017-03-01 18:33:11 UTC

Description John Dennis 2017-01-24 02:55:39 UTC
During SAML ECP authentication 2 specially formatted HTTP headers *MUST* be included in the request in order for the SP (Service Provider) to recognize the client is ECP capable and to start the SAML ECP flow. One is the PAOS header and the other is the Accept header which must include the "application/vnd.paos+xml" media type. Media types in the Accept header are separated by a comma (,). Unfortunately keystoneauth uses a semicolon (;) as the media type separator. The HTTP spec reserves the semicolon in the Accept header to attach parameters to the media type. For example

Accept: type1;params1,type2;params2

Using a semicolon as a media type separator is syntactically invalid and can cause failures in servers that parse the Accept header. For example mod_auth_mellon emits this error message and fails to process the ECP request:

request supplied valid PAOS header but omitted PAOS media type in Accept header
have_paos_media_type=False valid_paos_header=True is_paos=False

This indicates only 1 of the 2 required conditions were met.

The irony is this issue was originally reported here:

And merged here:

But this was done about the time all the client libs and openstack client were being developed and Jamie Lenox noted the fix needs to be merged at some point in that code, but as far as I can tell that work was abandoned when the branch was abandoned.

All of this is to say we need to apply the same trivial 1 character fix to keystoneauth that was lost along the way.

Comment 1 John Dennis 2017-01-24 02:58:49 UTC
Merged upstream in:

master: b1301e606d29a99da9c81d4c1627a6bba4b0ddcc

stable/newton: 13b0e07b7ba58dcc1b743815743c655701d7b206

Already present in stable/ocata when branched from master.

Comment 2 John Dennis 2017-01-24 03:01:01 UTC
Patch is necessary to make Keystone federation work.

Comment 3 John Dennis 2017-01-24 03:04:19 UTC
Upstream gerrit review for master is:

Upstream gerrit review for stable/newton is:

Comment 7 Rodrigo Duarte 2017-02-21 23:28:48 UTC
verified for python-keystoneauth1-2.18.0

- try to use the v3samlpasswrod plugin:

$ openstack --debug --insecure --os-auth-url --os-identity-api-version 3 --os-auth-type v3samlpassword ...

- digging up in the logs, we can find 'Accept': '*/*,application/vnd.paos+xml', the header is correctly using , instead of ;

Comment 9 errata-xmlrpc 2017-03-01 13:38:42 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.