1914363 - Keycloak OpenID Connect logout does not work

Status: RESOLVED FIXED

(Web Compatibility :: Site Reports, defect, P1)

Description

[Jan Ševčík]

Steps to reproduce:

I get PNG Image 1x1 pixel with a gray screen when I click link to website such as this url https://timesheet2.trask.cz/auth/logout

Actual results:

since firefox version 128 i get weird bug with some url requests when i get 1x1 PNG image instead as url response. before version 128 everything was ok. for example, i have keycloak oidc instance where i have secured my webpage with openid connect login page. when i wanted to logout instead of logout response i get 1x1 PNG image as result. i have no antiviruses, ive tested this at multiple computers in multiple different networks and have same problem.

Expected results:

webpage https://timesheet2.trask.cz/auth/logout should show me logout page from my keycloak instance as it always does before firefox version 128

this is a huge problem for our company where we have multiple applications secured with keycloak oidc and logout doesnt work at any of them

Comment 1

[Jan Ševčík]

i would like also state that this only occurs in firefox browser, not in any other browsers

Comment 2

[Ryan VanderMeulen [:RyanVM]]

INFO: Last good revision: b65db35b56b67a06b6f1f9e07f26acfff4a079fe
INFO: First bad revision: 4375d3bfa8fe60b69166e27f639e2403164e7b08
INFO: Pushlog:
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=b65db35b56b67a06b6f1f9e07f26acfff4a079fe&tochange=4375d3bfa8fe60b69166e27f639e2403164e7b08

Comment 3

[Hsin-Yi Tsai (she/her) [:hsinyi]]

Hi Valentin, could you please take a look at this?

Comment 4

[Valentin Gosu [:valentin] (he/him)]

The problem is that our document accept header also includes the image formats.
https://searchfox.org/mozilla-central/rev/5959ec6b84d66592a77a3e5e2d2aedc1b3e7d4c5/netwerk/protocol/http/nsHttpHandler.cpp#233,244

// but we also insert all of the image formats before */*
...
mimeTypes.Append("image/webp,image/png,image/svg+xml,*/*;q=0.8");

This isn't exactly up to spec. We added image mime types to the document accept header in bug 1658008 but bug 1711622 added image/svg+xml to both the image and document accept header.
I think it shouldn't have been present in the document accept header.

Comment 5

[Valentin Gosu [:valentin] (he/him)]

I was wrong - it's not image/svg+xml that's causing the issue, but image/png
Chrome also includes image formats in the document accept header, but they use image/apng instead: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7

I'll add a pref whether to include image formats in the accept header, and default to false.
This should align us with the fetch spec and Safari.

Comment 6

[Valentin Gosu [:valentin] (he/him)]

Attachment: Bug 1914363 - Remove image mime types from documment accept header r=#necko

This aligns us with the fetch spec and Safari.

This patch also adds a pref to control whether supported image formats are also
part of the document accept header - defaults to false.

Comment 7

[Phabricator Automation]

Comment on attachment 9422763 [details]
Bug 1914363 - Remove image mime types from documment accept header r=#necko

Revision D221110 was moved to bug 1917177. Setting attachment 9422763 [details] to obsolete.

Comment 8

[Randell Jesup [:jesup] (needinfo me)]

Fixed in bug 1917177 which should ride to release

Comment 9

[Ryan VanderMeulen [:RyanVM]]

Bug 1917177 doesn't seem like the kind of bug we want to backport without plenty of bake time, but we may want to keep it on the ESR128 radar for some point down the line at least.