Missing Content-Type header on ssologout page #62
Milestone
Comments
Now check. This worked for me. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When SAML logout is initiated via web browser by navigating to:
https://gluu.server/idp/Authn/oxAuth/logout
the logout flow proceeds with the following HTTP requests:
GET https://gluu.server/oxauth/restv1/end_session?id_token_hint=.....
GET https://gluu.server/idp/Authn/oxAuth/ssologout?sid=.....
For both GET requests, Gluu server returns 200 OK responses:
For the first one (end_session)
HTTP/1.1 200 OK
Date: Wed, 10 Jul 2019 06:01:41 GMT
Server: Jetty(9.4.12.v20180830)
X-Xss-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000; includeSubDomains
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-transform, no-store
Content-Type: text/html
Pragma: no-cache
Content-Length: 449
Set-Cookie: consent_session_id=;Path=/;Expires=Thu, 01-Jan-1970 00:00:00 GMT;Max-Age=0;HttpOnly
session_id=;Path=/;Expires=Thu, 01-Jan-1970 00:00:00 GMT;Max-Age=0;HttpOnly
opbs=;Path=/;Expires=Thu, 01-Jan-1970 00:00:00 GMT;Max-Age=0;HttpOnly
Connection: close
For the second one (ssologout):
HTTP/1.1 200 OK
Date: Wed, 10 Jul 2019 06:01:42 GMT
Server: Jetty(9.4.12.v20180830)
X-Xss-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000; includeSubDomains
Content-Length: 0
Connection: close
In the above response to ssologout, Content-Type header is missing, which confuses Safari web browser on e.g. iPad - it offers to open 'ssologout' with some binary application. Such web browser behaviour is correct according to RFC7231: If a Content-Type header field is not present, the recipient MAY either assume a media type of "application/octet-stream"...
To fix - response to ssologout should contain
Content-Type: text/html
The text was updated successfully, but these errors were encountered: