OIDC Authorize response varies depending on the Accept header: 200 OK if it includes application/json, 302 otherwise
Concerned version
Version: 2.0.15.1
Platform: Nginx
Summary
When calling the /oauth2/authorize endpoint, we've found that if the request header Accept has application/json, independently of other mime types, the response will be a 200 OK instead of the "usual" 302 Location with the session_state, state and code.
Logs
[1] Network request and response. First without the application/json:
curl -v 'https://internal-foobar-server.com/oauth2/authorize?response_type=code&client_id=APP&scope=openid+profile+roles+email&redirect_uri=https%3A%2F%2Finternal-foobar-server%2Fapp%2Flogin&state=abababababababaab30a64a0a3d98e062cd2e2973127b849e57280ffa88981198a158f68e9abababababababab' \
-H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' \
-H 'Accept-Language: en-US,en;q=0.9,pt;q=0.8,fr;q=0.7,es;q=0.6' \
-H 'Cache-Control: no-cache' \
-H 'Connection: keep-alive' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'Cookie: llnglanguage=en; lemonldapqmspdata=%7B%22issuerRequestoauth2%22%3A%221668527922_53631%22%2C%22issuerTs%22%3A1668599802%2C%22issuerRequestoauth2Path%22%3A%5B%22authorize%22%5D%2C%22_url%22%3A%22aHR0cHM6Ly9hdXRoLmNvLm5vcy5wdC9vYXV0aDI%3D%22%2C%22keepPdata%22%3A%5B%22issuerRequestoauth2%22%2C%22issuerRequestoauth2Path%22%5D%7D' \
-H 'DNT: 1' \
-H 'Origin: https://internal-foobar-server.com' \
-H 'Pragma: no-cache' \
-H 'Referer: https://internal-foobar-server.com/oauth2/authorize?response_type=code&client_id=APP&scope=openid+profile+roles+email&redirect_uri=https%3A%2F%2Finternal-foobar-server.com%2Fapp%2Flogin&state=abababababababaab30a64a0a3d98e062cd2e2973127b849e57280ffa88981198a158f68e9abababababababab' \
-H 'Sec-Fetch-Dest: document' \
-H 'Sec-Fetch-Mode: navigate' \
-H 'Sec-Fetch-Site: same-origin' \
-H 'Sec-Fetch-User: ?1' \
-H 'Upgrade-Insecure-Requests: 1' \
-H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36' \
-H 'sec-ch-ua: "Google Chrome";v="107", "Chromium";v="107", "Not=A?Brand";v="24"' \
-H 'sec-ch-ua-mobile: ?0' \
-H 'sec-ch-ua-platform: "macOS"' \
--data-raw 'url=aHR0cHM6Ly9hdXRoLmNvLm5vcy5wdC9vYXV0aDI%3D&timezone=0&skin=newnos&user=username&password=mysecretpassword' \
--compressed
* Trying 10.228.56.68:443...
* Connected to internal-foobar-server.com (10.228.56.68) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
* CAfile: /etc/ssl/cert.pem
* CApath: none
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN: server did not agree on a protocol. Uses default.
* Server certificate:
* subject: CN=*.internal-foobar-server.com
* start date: Dec 14 00:00:00 2021 GMT
* expire date: Dec 14 23:59:59 2022 GMT
* subjectAltName: host "internal-foobar-server.com" matched cert's "*.internal-foobar-server.com"
* issuer: C=PT; ST=Lisboa; L=Lisboa; O=MarketWare - foobar certifier
* SSL certificate verify ok.
> POST /oauth2/authorize?response_type=code&client_id=APP&scope=openid+profile+roles+email&redirect_uri=https%3A%2F%2Finternal-foobar-server.com%2Fapp%2Flogin&state=abababababababaab30a64a0a3d98e062cd2e2973127b849e57280ffa88981198a158f68e9abababababababab HTTP/1.1
> Host: internal-foobar-server.com
> Accept-Encoding: deflate, gzip
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
> Accept-Language: en-US,en;q=0.9,pt;q=0.8,fr;q=0.7,es;q=0.6
> Cache-Control: no-cache
> Connection: keep-alive
> Content-Type: application/x-www-form-urlencoded
> Cookie: llnglanguage=en; lemonldapqmspdata=%7B%22issuerRequestoauth2%22%3A%221668527922_53631%22%2C%22issuerTs%22%3A1668599802%2C%22issuerRequestoauth2Path%22%3A%5B%22authorize%22%5D%2C%22_url%22%3A%22aHR0cHM6Ly9hdXRoLmNvLm5vcy5wdC9vYXV0aDI%3D%22%2C%22keepPdata%22%3A%5B%22issuerRequestoauth2%22%2C%22issuerRequestoauth2Path%22%5D%7D
> DNT: 1
> Origin: https://internal-foobar-server.com
> Pragma: no-cache
> Referer: https://internal-foobar-server.com/oauth2/authorize?response_type=code&client_id=APP&scope=openid+profile+roles+email&redirect_uri=https%3A%2F%2Finternal-foobar-server.com%2Fapp%2Flogin&state=abababababababaab30a64a0a3d98e062cd2e2973127b849e57280ffa88981198a158f68e9abababababababab
> Sec-Fetch-Dest: document
> Sec-Fetch-Mode: navigate
> Sec-Fetch-Site: same-origin
> Sec-Fetch-User: ?1
> Upgrade-Insecure-Requests: 1
> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
> sec-ch-ua: "Google Chrome";v="107", "Chromium";v="107", "Not=A?Brand";v="24"
> sec-ch-ua-mobile: ?0
> sec-ch-ua-platform: "macOS"
> Content-Length: 114
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 302 Found
< Server: nginx/1.20.1
< Date: Wed, 16 Nov 2022 14:31:42 GMT
< Transfer-Encoding: chunked
< Connection: keep-alive
< Location: https://internal-foobar-server.com/app/login?session_state=abababababababaab30a64a0a3d98e062cd2e2973127b849e57280ffa88981198a158f68e9abababababababab&state=abababababababaab30a64a0a3d98e062cd2e2973127b849e57280ffa88981198a158f68e9abababababababab&code=abababababababaab30a64a0a3d98e062cd2e2973127b849e57280ffa88981198a158f68e9abababababababab
< Set-Cookie: lemonldapqms=0342658107147fd515ca26abf69014d8eb24cbfe6af7d23b6a490401512f88f8; domain=.internal-foobar-server.com; path=/; HttpOnly=1; SameSite=None; secure
< Set-Cookie: lemonldapqmspdata=; path=/; expires=Wed, 21 Oct 2015 00:00:00 GMT; HttpOnly=1; SameSite=None; secure
< Access-Control-Allow-Origin: https://internal-foobar-server.com
< Access-Control-Allow-Headers: X-Requested-With, authorization
< Access-Control-Allow-Credentials: true
<
* Connection #0 to host internal-foobar-server.com left intact
---
[2] same request but adding application/json to the Accept http header:
curl -v 'https://internal-foobar-server.com/oauth2/authorize?response_type=code&client_id=APP&scope=openid+profile+roles+email&redirect_uri=https%3A%2F%2Finternal-foobar-server.com%2Fapp%2Flogin&state=abababababababaab30a64a0a3d98e062cd2e2973127b849e57280ffa88981198a158f68e9abababababababab' \
-H 'Accept: text/html,application/xhtml+xml,application/json,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' \
-H 'Accept-Language: en-US,en;q=0.9,pt;q=0.8,fr;q=0.7,es;q=0.6' \
-H 'Cache-Control: no-cache' \
-H 'Connection: keep-alive' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'Cookie: llnglanguage=en; lemonldapqmspdata=%7B%22issuerRequestoauth2%22%3A%221668527922_53631%22%2C%22issuerTs%22%3A1668599802%2C%22issuerRequestoauth2Path%22%3A%5B%22authorize%22%5D%2C%22_url%22%3A%22aHR0cHM6Ly9hdXRoLmNvLm5vcy5wdC9vYXV0aDI%3D%22%2C%22keepPdata%22%3A%5B%22issuerRequestoauth2%22%2C%22issuerRequestoauth2Path%22%5D%7D' \
-H 'DNT: 1' \
-H 'Origin: https://internal-foobar-server.com' \
-H 'Pragma: no-cache' \
-H 'Referer: https://internal-foobar-server.com/oauth2/authorize?response_type=code&client_id=APP&scope=openid+profile+roles+email&redirect_uri=https%3A%2F%2Finternal-foobar-server.com%2Fapp%2Flogin&state=abababababababaab30a64a0a3d98e062cd2e2973127b849e57280ffa88981198a158f68e9abababababababab' \
-H 'Sec-Fetch-Dest: document' \
-H 'Sec-Fetch-Mode: navigate' \
-H 'Sec-Fetch-Site: same-origin' \
-H 'Sec-Fetch-User: ?1' \
-H 'Upgrade-Insecure-Requests: 1' \
-H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36' \
-H 'sec-ch-ua: "Google Chrome";v="107", "Chromium";v="107", "Not=A?Brand";v="24"' \
-H 'sec-ch-ua-mobile: ?0' \
-H 'sec-ch-ua-platform: "macOS"' \
--data-raw 'url=aHR0cHM6Ly9hdXRoLmNvLm5vcy5wdC9vYXV0aDI%3D&timezone=0&skin=newnos&user=username&password=mysecretpassword' \
--compressed
* Trying 10.228.56.68:443...
* Connected to internal-foobar-server.com (10.228.56.68) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
* CAfile: /etc/ssl/cert.pem
* CApath: none
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN: server did not agree on a protocol. Uses default.
* Server certificate:
* subject: CN=*.internal-foobar-server.com
* start date: Dec 14 00:00:00 2021 GMT
* expire date: Dec 14 23:59:59 2022 GMT
* subjectAltName: host "internal-foobar-server.com" matched cert's "*.internal-foobar-server.com"
* issuer: C=PT; ST=Lisboa; L=Lisboa; O=MarketWare - foobar certifier
* SSL certificate verify ok.
> POST /oauth2/authorize?response_type=code&client_id=APP&scope=openid+profile+roles+email&redirect_uri=https%3A%2F%2Finternal-foobar-server.com%2Fapp%2Flogin&state=abababababababaab30a64a0a3d98e062cd2e2973127b849e57280ffa88981198a158f68e9abababababababab HTTP/1.1
> Host: internal-foobar-server.com
> Accept-Encoding: deflate, gzip
> Accept: text/html,application/xhtml+xml,application/json,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
> Accept-Language: en-US,en;q=0.9,pt;q=0.8,fr;q=0.7,es;q=0.6
> Cache-Control: no-cache
> Connection: keep-alive
> Content-Type: application/x-www-form-urlencoded
> Cookie: llnglanguage=en; lemonldapqmspdata=%7B%22issuerRequestoauth2%22%3A%221668527922_53631%22%2C%22issuerTs%22%3A1668599802%2C%22issuerRequestoauth2Path%22%3A%5B%22authorize%22%5D%2C%22_url%22%3A%22aHR0cHM6Ly9hdXRoLmNvLm5vcy5wdC9vYXV0aDI%3D%22%2C%22keepPdata%22%3A%5B%22issuerRequestoauth2%22%2C%22issuerRequestoauth2Path%22%5D%7D
> DNT: 1
> Origin: https://internal-foobar-server.com
> Pragma: no-cache
> Referer: https://internal-foobar-server.com/oauth2/authorize?response_type=code&client_id=APP&scope=openid+profile+roles+email&redirect_uri=https%3A%2F%2Finternal-foobar-server.com%2Fapp%2Flogin&state=abababababababaab30a64a0a3d98e062cd2e2973127b849e57280ffa88981198a158f68e9abababababababab
> Sec-Fetch-Dest: document
> Sec-Fetch-Mode: navigate
> Sec-Fetch-Site: same-origin
> Sec-Fetch-User: ?1
> Upgrade-Insecure-Requests: 1
> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
> sec-ch-ua: "Google Chrome";v="107", "Chromium";v="107", "Not=A?Brand";v="24"
> sec-ch-ua-mobile: ?0
> sec-ch-ua-platform: "macOS"
> Content-Length: 114
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Server: nginx/1.20.1
< Date: Wed, 16 Nov 2022 14:47:47 GMT
< Content-Type: application/json; charset=utf-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< Set-Cookie: lemonldapqms=ababababababaabababa1656bc52b3f2956df81fb46cababababa; domain=.internal-foobar-server.comt; path=/; HttpOnly=1; SameSite=None; secure
< Cache-Control: no-cache, no-store, must-revalidate
< Pragma: no-cache
< Expires: 0
< Access-Control-Allow-Origin: https://internal-foobar-server.com
< Access-Control-Allow-Methods: *
< Access-Control-Allow-Credentials: true
< Set-Cookie: lemonldapqmspdata=; path=/; expires=Wed, 21 Oct 2015 00:00:00 GMT; HttpOnly=1; SameSite=None; secure
< Access-Control-Allow-Origin: https://internal-foobar-server.com
< Access-Control-Allow-Headers: X-Requested-With, authorization
< Access-Control-Allow-Credentials: true
<
* Connection #0 to host internal-foobar-server.com left intact
{"error":"-2","id":"ababababababababa6bc52b3f2956df81fb46c40230abababababababa","result":1}%
Backends used
Issue is just that a response with Content-Type: application/json results in a 200 OK, completely diferent of a 302 Location if the request Accept header does not include application/json