403 Forbidden; Failure to redirect only on MacOS Safari and IOS

By: Spencer McCoubrey user 10 Jun 2019 at 3:35 p.m. CDT

4 Responses
Spencer McCoubrey gravatar
## Expected behaviour Try to access our application's website on MacOS safari or IOS. If not logged in, init the implicit flow and be redirected to Gluu login page. After successful login, be redirected back to our application's website. ## Actual behaviour On MacOS safair and IOS only, after successful login the user is not properly redirected back to our applications website. During the redirect process, the user receives a 403 forbidden error response preventing them from being redirected fully back to our site. Note that if the user manually navigates back to our website, they will be logged in. The user is successfully logged in (and the logs confirm as such as seen below) yet the user is not being redirected fully. ## Log Files ```2019-06-10 20:29:43,839 INFO [qtp804611486-18] [org.xdi.oxauth.service.AuthenticationService] (AuthenticationService.java:533) - Attempting to redirect user: SessionUser: SessionState {dn='oxAuthSessionId=#############,ou=session,o=####################,o=gluu', id=‘##################’, lastUsedAt=Mon Jun 10 20:29:43 UTC 2019, userDn='inum=#################,ou=people,o=##############,o=gluu', authenticationTime=Mon Jun 10 20:29:43 UTC 2019, state=authenticated, sessionState=‘##################’, permissionGranted=null, isJwt=false, jwt=null, permissionGrantedMap=org.xdi.oxauth.model.common.SessionIdAccessMap@#####, involvedClients=null, sessionAttributes={auth_external_attributes=[{"externalProviders":"java.lang.String"}], opbs=###############, externalProviders={"google": {"requestForEmail": false, "emailLinkingSafe": true, "logo_img": "img/google.png", "saml": false}}, response_type=id_token token, nonce=#############, client_id=#########################, auth_step=1, acr=passport_social, remote_ip=72.142.16.190, auth_user=admin, scope=clientinfo email openid phone profile user_name, redirect_uri=#####################, state=#############}, persisted=true} 2019-06-10 20:29:43,843 INFO [qtp804611486-18] [org.xdi.oxauth.service.AuthenticationService] (AuthenticationService.java:541) - Attempting to redirect user: User: org.xdi.oxauth.model.common.User@##### 2019-06-10 20:29:43,844 INFO [qtp804611486-18] [org.xdi.oxauth.auth.Authenticator] (Authenticator.java:409) - Authentication success for User: 'admin'``` ## Har Log for failure ``` { "log": { "version": "1.2", "creator": { "name": "WebKit Web Inspector", "version": "605.1.15" }, "pages": [ { "startedDateTime": "2019-06-11T00:31:34.489Z", "id": "page_0", "title": "https://gluu.hostname/oxauth/restv1/authorize?scope=clientinfo+email+openid+phone+profile+user_name&response_type=id_token+token&session_id=SESSION_ID&redirect_uri=REDIRECT_URI&state=STATE&nonce=NONCE&client_id=CLIENT_ID", "pageTimings": { "onContentLoad": 61745.33340000198, "onLoad": 61745.0993579987 } } ], "entries": [ { "pageref": "page_0", "startedDateTime": "2019-06-11T00:31:34.489Z", "time": 260.69195877062157, "request": { "method": "POST", "url": "https://gluu.hostname/oxauth/restv1/authorize?scope=clientinfo+email+openid+phone+profile+user_name&response_type=id_token+token&session_id=SESSION_IDa&redirect_uri=REDIRECT_URI&state=STATE&nonce=NONCE&client_id=CLIENT_ID", "httpVersion": "HTTP/1.1", "cookies": [ { "name": "csfcfc", "value": "GdWl3cP7" }, { "name": "rp_origin_id", "value": "https://REDIRECT_URI" }, { "name": "opbs", "value": "81f287ec-4174-4086-9b5d-c758fc6d2f40" }, { "name": "org.gluu.i18n.Locale", "value": "en" }, { "name": "session_id", "value": "SESSION_ID" }, { "name": "session_state", "value": "SESSION_STATE" } ], "headers": [ { "name": "Cookie", "value": "csfcfc=GdWl3cP7; rp_origin_id=https://REDIRECT_URI; opbs=OPBS; org.gluu.i18n.Locale=en; session_id=SESSION_ID; session_state=SESSION_STATE" }, { "name": "Accept", "value": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" }, { "name": "Origin", "value": "https://gluu.hostname" }, { "name": "Accept-Encoding", "value": "br, gzip, deflate" }, { "name": "Host", "value": "gluu.hostname" }, { "name": "User-Agent", "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.1 Safari/605.1.15" }, { "name": "Accept-Language", "value": "en-ca" }, { "name": "Referer", "value": "https://gluu.hostname/oxauth/auth/passport/passportlogin.htm" }, { "name": "Connection", "value": "keep-alive" } ], "queryString": [ { "name": "scope", "value": "clientinfo email openid phone profile user_name" }, { "name": "response_type", "value": "id_token token" }, { "name": "session_id", "value": "SESSION_ID" }, { "name": "redirect_uri", "value": "https://CORRECT_URI" }, { "name": "state", "value": "STATE" }, { "name": "nonce", "value": "NONCE" }, { "name": "client_id", "value": "CLIENT_ID" } ], "headersSize": 3032, "bodySize": 162, "postData": { "mimeType": "", "text": "loginForm=loginForm&loginForm%3Ausername=USERNAMEW&loginForm%3Apassword=PASSWORD&loginForm%3Aprovider=&loginForm%3AloginButton=Sign+in&javax.faces.ViewState=stateless", "params": [] } }, "response": { "status": 403, "statusText": "Forbidden", "httpVersion": "HTTP/1.1", "cookies": [], "headers": [ { "name": "X-Content-Type-Options", "value": "nosniff" }, { "name": "Content-Type", "value": "text/plain" }, { "name": "Date", "value": "Tue, 11 Jun 2019 00:31:36 GMT" }, { "name": "X-XSS-Protection", "value": "1; mode=block" }, { "name": "Content-Length", "value": "0" }, { "name": "Connection", "value": "close" }, { "name": "Server", "value": "Jetty(9.4.12.v20180830)" }, { "name": "Strict-Transport-Security", "value": "max-age=31536000; includeSubDomains" } ], "content": { "size": 0, "compression": 0, "mimeType": "text/plain" }, "redirectURL": "", "headersSize": 2520, "bodySize": 0, "_transferSize": 2520 }, "cache": {}, "timings": { "blocked": 195.2428401564248, "dns": -1, "connect": 44.00002956390381, "ssl": 23.000001907348633, "send": 0.22411346435546875, "wait": 20.36595344543457, "receive": 0.8590221405029297 }, "serverIPAddress": "ServerIPRemoved", "connection": "65", "_fetchType": "Network Load" }, { "pageref": "page_0", "startedDateTime": "2019-06-11T00:31:34.855Z", "time": 386.50596141815186, "request": { "method": "GET", "url": "https://gluu.hostname/favicon.ico", "httpVersion": "HTTP/1.1", "cookies": [ { "name": "opbs", "value": "OPBS" }, { "name": "org.gluu.i18n.Locale", "value": "en" }, { "name": "session_id", "value": "SESSIONS_ID" }, { "name": "session_state", "value": "SESSION_STATE" } ], "headers": [ { "name": "Cookie", "value": "opbs=81f287ec-4174-4086-9b5d-c758fc6d2f40; org.gluu.i18n.Locale=en; session_id=SESSION_ID; session_state=SESSION_STATE" }, { "name": "Accept", "value": "*/*" }, { "name": "Accept-Encoding", "value": "br, gzip, deflate" }, { "name": "Host", "value": "gluu.hostname" }, { "name": "User-Agent", "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.1 Safari/605.1.15" }, { "name": "Accept-Language", "value": "en-ca" }, { "name": "Referer", "value": "https://gluu.hostname/oxauth/restv1/authorize?scope=clientinfo+email+openid+phone+profile+user_name&response_type=id_token+token&session_id=SESSION_ID&redirect_uri=CORRECT_URI&state=STATE&nonce=NONCE&client_id=CLIENT_ID" }, { "name": "Connection", "value": "keep-alive" } ], "queryString": [], "headersSize": 938, "bodySize": 0 }, "response": { "status": 404, "statusText": "Not Found", "httpVersion": "HTTP/1.1", "cookies": [], "headers": [ { "name": "X-Content-Type-Options", "value": "nosniff" }, { "name": "Content-Type", "value": "text/html; charset=iso-8859-1" }, { "name": "Date", "value": "Tue, 11 Jun 2019 00:31:36 GMT" }, { "name": "X-XSS-Protection", "value": "1; mode=block" }, { "name": "Content-Length", "value": "273" }, { "name": "Connection", "value": "close" }, { "name": "Server", "value": "Apache" }, { "name": "Strict-Transport-Security", "value": "max-age=31536000; includeSubDomains" } ], "content": { "size": 273, "compression": 0, "mimeType": "text/html", "text": "\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p>The requested URL /favicon.ico was not found on this server.</p>\n<hr>\n<address>Apache Server at gluu.verto.ca Port 443</address>\n</body></html>\n" }, "redirectURL": "", "headersSize": 294, "bodySize": 273, "_transferSize": 567 }, "cache": {}, "timings": { "blocked": 2.624988555908203, "dns": -1, "connect": 146.99995517730713, "ssl": 113.0000352859497, "send": 0.20706653594970703, "wait": 228.9559841156006, "receive": 7.7179670333862305 }, "serverIPAddress": "ServerIPRemoved", "connection": "Int", "_fetchType": "Network Load" } ] } } ```
CentOS 7.0
closed

Answers

By Aliaksandr Samuseu staff 10 Jun 2019 at 4:39 p.m. CDT

Copy
Aliaksandr Samuseu gravatar
Hi, Spencer. At least for Safari, you should be able to record the failing flow and export it as HAR file. You can find some hints on how to do this [here](https://stackoverflow.com/questions/46814901/how-can-you-export-a-har-file-on-safari). Please share the HAR file with us then.

By Spencer McCoubrey user 10 Jun 2019 at 7:47 p.m. CDT

Copy
Spencer McCoubrey gravatar
``` { "log": { "version": "1.2", "creator": { "name": "WebKit Web Inspector", "version": "605.1.15" }, "pages": [ { "startedDateTime": "2019-06-11T00:31:34.489Z", "id": "page_0", "title": "https://gluu.hostname/oxauth/restv1/authorize?scope=clientinfo+email+openid+phone+profile+user_name&response_type=id_token+token&session_id=SESSION_ID&redirect_uri=REDIRECT_URI&state=STATE&nonce=NONCE&client_id=CLIENT_ID", "pageTimings": { "onContentLoad": 61745.33340000198, "onLoad": 61745.0993579987 } } ], "entries": [ { "pageref": "page_0", "startedDateTime": "2019-06-11T00:31:34.489Z", "time": 260.69195877062157, "request": { "method": "POST", "url": "https://gluu.hostname/oxauth/restv1/authorize?scope=clientinfo+email+openid+phone+profile+user_name&response_type=id_token+token&session_id=SESSION_IDa&redirect_uri=REDIRECT_URI&state=STATE&nonce=NONCE&client_id=CLIENT_ID", "httpVersion": "HTTP/1.1", "cookies": [ { "name": "csfcfc", "value": "GdWl3cP7" }, { "name": "rp_origin_id", "value": "https://REDIRECT_URI" }, { "name": "opbs", "value": "81f287ec-4174-4086-9b5d-c758fc6d2f40" }, { "name": "org.gluu.i18n.Locale", "value": "en" }, { "name": "session_id", "value": "SESSION_ID" }, { "name": "session_state", "value": "SESSION_STATE" } ], "headers": [ { "name": "Cookie", "value": "csfcfc=GdWl3cP7; rp_origin_id=https://REDIRECT_URI; opbs=OPBS; org.gluu.i18n.Locale=en; session_id=SESSION_ID; session_state=SESSION_STATE" }, { "name": "Accept", "value": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" }, { "name": "Origin", "value": "https://gluu.hostname" }, { "name": "Accept-Encoding", "value": "br, gzip, deflate" }, { "name": "Host", "value": "gluu.hostname" }, { "name": "User-Agent", "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.1 Safari/605.1.15" }, { "name": "Accept-Language", "value": "en-ca" }, { "name": "Referer", "value": "https://gluu.hostname/oxauth/auth/passport/passportlogin.htm" }, { "name": "Connection", "value": "keep-alive" } ], "queryString": [ { "name": "scope", "value": "clientinfo email openid phone profile user_name" }, { "name": "response_type", "value": "id_token token" }, { "name": "session_id", "value": "SESSION_ID" }, { "name": "redirect_uri", "value": "https://CORRECT_URI" }, { "name": "state", "value": "STATE" }, { "name": "nonce", "value": "NONCE" }, { "name": "client_id", "value": "CLIENT_ID" } ], "headersSize": 3032, "bodySize": 162, "postData": { "mimeType": "", "text": "loginForm=loginForm&loginForm%3Ausername=USERNAMEW&loginForm%3Apassword=PASSWORD&loginForm%3Aprovider=&loginForm%3AloginButton=Sign+in&javax.faces.ViewState=stateless", "params": [] } }, "response": { "status": 403, "statusText": "Forbidden", "httpVersion": "HTTP/1.1", "cookies": [], "headers": [ { "name": "X-Content-Type-Options", "value": "nosniff" }, { "name": "Content-Type", "value": "text/plain" }, { "name": "Date", "value": "Tue, 11 Jun 2019 00:31:36 GMT" }, { "name": "X-XSS-Protection", "value": "1; mode=block" }, { "name": "Content-Length", "value": "0" }, { "name": "Connection", "value": "close" }, { "name": "Server", "value": "Jetty(9.4.12.v20180830)" }, { "name": "Strict-Transport-Security", "value": "max-age=31536000; includeSubDomains" } ], "content": { "size": 0, "compression": 0, "mimeType": "text/plain" }, "redirectURL": "", "headersSize": 2520, "bodySize": 0, "_transferSize": 2520 }, "cache": {}, "timings": { "blocked": 195.2428401564248, "dns": -1, "connect": 44.00002956390381, "ssl": 23.000001907348633, "send": 0.22411346435546875, "wait": 20.36595344543457, "receive": 0.8590221405029297 }, "serverIPAddress": "ServerIPRemoved", "connection": "65", "_fetchType": "Network Load" }, { "pageref": "page_0", "startedDateTime": "2019-06-11T00:31:34.855Z", "time": 386.50596141815186, "request": { "method": "GET", "url": "https://gluu.hostname/favicon.ico", "httpVersion": "HTTP/1.1", "cookies": [ { "name": "opbs", "value": "OPBS" }, { "name": "org.gluu.i18n.Locale", "value": "en" }, { "name": "session_id", "value": "SESSIONS_ID" }, { "name": "session_state", "value": "SESSION_STATE" } ], "headers": [ { "name": "Cookie", "value": "opbs=81f287ec-4174-4086-9b5d-c758fc6d2f40; org.gluu.i18n.Locale=en; session_id=SESSION_ID; session_state=SESSION_STATE" }, { "name": "Accept", "value": "*/*" }, { "name": "Accept-Encoding", "value": "br, gzip, deflate" }, { "name": "Host", "value": "gluu.hostname" }, { "name": "User-Agent", "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.1 Safari/605.1.15" }, { "name": "Accept-Language", "value": "en-ca" }, { "name": "Referer", "value": "https://gluu.hostname/oxauth/restv1/authorize?scope=clientinfo+email+openid+phone+profile+user_name&response_type=id_token+token&session_id=SESSION_ID&redirect_uri=CORRECT_URI&state=STATE&nonce=NONCE&client_id=CLIENT_ID" }, { "name": "Connection", "value": "keep-alive" } ], "queryString": [], "headersSize": 938, "bodySize": 0 }, "response": { "status": 404, "statusText": "Not Found", "httpVersion": "HTTP/1.1", "cookies": [], "headers": [ { "name": "X-Content-Type-Options", "value": "nosniff" }, { "name": "Content-Type", "value": "text/html; charset=iso-8859-1" }, { "name": "Date", "value": "Tue, 11 Jun 2019 00:31:36 GMT" }, { "name": "X-XSS-Protection", "value": "1; mode=block" }, { "name": "Content-Length", "value": "273" }, { "name": "Connection", "value": "close" }, { "name": "Server", "value": "Apache" }, { "name": "Strict-Transport-Security", "value": "max-age=31536000; includeSubDomains" } ], "content": { "size": 273, "compression": 0, "mimeType": "text/html", "text": "\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p>The requested URL /favicon.ico was not found on this server.</p>\n<hr>\n<address>Apache Server at gluu.verto.ca Port 443</address>\n</body></html>\n" }, "redirectURL": "", "headersSize": 294, "bodySize": 273, "_transferSize": 567 }, "cache": {}, "timings": { "blocked": 2.624988555908203, "dns": -1, "connect": 146.99995517730713, "ssl": 113.0000352859497, "send": 0.20706653594970703, "wait": 228.9559841156006, "receive": 7.7179670333862305 }, "serverIPAddress": "ServerIPRemoved", "connection": "Int", "_fetchType": "Network Load" } ] } } ``` here is the har file as requested. I redacted what I believed to be any identifying info, and possibly more than I needed to.

By Spencer McCoubrey user 14 Jun 2019 at 3:06 p.m. CDT

Copy
Spencer McCoubrey gravatar
@Aliaksandr.Samuseu I was wondering if I could get an update on the status of my ticket, as this bug is hindering our development. Thanks

By Aliaksandr Samuseu staff 23 Aug 2019 at 5:59 p.m. CDT

Copy
Aliaksandr Samuseu gravatar
Hi, Spencer. Sorry for the delayed answer. If you are still experiencing this issue, please provide a more complete HAR file for the flow - the one you shared doesn't show context of what happens, it's just a single request to authorization endpoint. Unless it's exactly what happens, of course, then it's not a correct flow at all.

Post an answer