diff --git a/pkg/handler/handler.go b/pkg/handler/handler.go index 7e690e5..1b7852d 100644 --- a/pkg/handler/handler.go +++ b/pkg/handler/handler.go @@ -146,7 +146,7 @@ func (s *Standalone) Login(w http.ResponseWriter, r *http.Request) { "redirect_after_login": canonicalRedirect, } mw.LogEntryFrom(r).WithFields(fields).Info("login: redirecting to identity provider") - http.Redirect(w, r, login.AuthCodeURL(), http.StatusTemporaryRedirect) + http.Redirect(w, r, login.AuthCodeURL(), http.StatusSeeOther) } func (s *Standalone) LoginCallback(w http.ResponseWriter, r *http.Request) { @@ -216,7 +216,7 @@ func (s *Standalone) LoginCallback(w http.ResponseWriter, r *http.Request) { mw.LogEntryFrom(r).WithFields(fields).Info("callback: successful login") metrics.ObserveLogin(tokens.IDToken.GetAmrClaim(), redirect) cookie.Clear(w, cookie.Retry, s.GetCookieOptions(r)) - http.Redirect(w, r, redirect, http.StatusTemporaryRedirect) + http.Redirect(w, r, redirect, http.StatusSeeOther) } func (s *Standalone) Logout(w http.ResponseWriter, r *http.Request) { @@ -255,7 +255,7 @@ func (s *Standalone) logout(w http.ResponseWriter, r *http.Request, globalLogout if globalLogout { logger.Debug("logout: redirecting to identity provider for global/single-logout") metrics.ObserveLogout(metrics.LogoutOperationSelfInitiated) - http.Redirect(w, r, logout.SingleLogoutURL(idToken), http.StatusTemporaryRedirect) + http.Redirect(w, r, logout.SingleLogoutURL(idToken), http.StatusSeeOther) } else { logger.Info("logout: successful local logout") metrics.ObserveLogout(metrics.LogoutOperationLocal) @@ -268,7 +268,7 @@ func (s *Standalone) LogoutCallback(w http.ResponseWriter, r *http.Request) { cookie.Clear(w, cookie.Retry, s.GetCookieOptions(r)) mw.LogEntryFrom(r).Debugf("logout/callback: redirecting to %s", redirect) - http.Redirect(w, r, redirect, http.StatusTemporaryRedirect) + http.Redirect(w, r, redirect, http.StatusSeeOther) } func (s *Standalone) LogoutFrontChannel(w http.ResponseWriter, r *http.Request) { diff --git a/pkg/handler/handler_sso_proxy.go b/pkg/handler/handler_sso_proxy.go index e47c55d..90a95d2 100644 --- a/pkg/handler/handler_sso_proxy.go +++ b/pkg/handler/handler_sso_proxy.go @@ -129,7 +129,7 @@ func (s *SSOProxy) Login(w http.ResponseWriter, r *http.Request) { "redirect_after_login": canonicalRedirect, }).Info("login: redirecting to sso server") - http.Redirect(w, r, ssoServerLoginURL, http.StatusTemporaryRedirect) + http.Redirect(w, r, ssoServerLoginURL, http.StatusSeeOther) } func (s *SSOProxy) LoginCallback(w http.ResponseWriter, r *http.Request) { @@ -138,7 +138,7 @@ func (s *SSOProxy) LoginCallback(w http.ResponseWriter, r *http.Request) { func (s *SSOProxy) Logout(w http.ResponseWriter, r *http.Request) { target := s.GetSSOServerURL().JoinPath(paths.OAuth2, paths.Logout) - http.Redirect(w, r, target.String(), http.StatusTemporaryRedirect) + http.Redirect(w, r, target.String(), http.StatusSeeOther) } func (s *SSOProxy) LogoutCallback(w http.ResponseWriter, r *http.Request) { diff --git a/pkg/handler/handler_test.go b/pkg/handler/handler_test.go index edfc5f1..db3a633 100644 --- a/pkg/handler/handler_test.go +++ b/pkg/handler/handler_test.go @@ -49,7 +49,7 @@ func TestLogin(t *testing.T) { assert.NotEmpty(t, loginURL.Query().Get("code_challenge")) resp = get(t, rpClient, loginURL.String()) - assert.Equal(t, http.StatusTemporaryRedirect, resp.StatusCode) + assert.Equal(t, http.StatusSeeOther, resp.StatusCode) callbackURL := resp.Location assert.Equal(t, loginURL.Query().Get("state"), callbackURL.Query().Get("state")) @@ -436,7 +436,7 @@ func localLogin(t *testing.T, rpClient *http.Client, idp *mock.IdentityProvider) assert.NoError(t, err) resp := get(t, rpClient, loginURL.String()) - assert.Equal(t, http.StatusTemporaryRedirect, resp.StatusCode) + assert.Equal(t, http.StatusSeeOther, resp.StatusCode) cookies := rpClient.Jar.Cookies(loginURL) sessionCookie := getCookieFromJar(cookie.Session, cookies) @@ -455,7 +455,7 @@ func authorize(t *testing.T, rpClient *http.Client, idp *mock.IdentityProvider) // Follow redirect to authorize with identity provider resp = get(t, rpClient, resp.Location.String()) - assert.Equal(t, http.StatusTemporaryRedirect, resp.StatusCode) + assert.Equal(t, http.StatusSeeOther, resp.StatusCode) return resp } @@ -466,7 +466,7 @@ func callback(t *testing.T, rpClient *http.Client, authorizeResponse response) * // Follow redirect to callback resp := get(t, rpClient, callbackURL.String()) - assert.Equal(t, http.StatusTemporaryRedirect, resp.StatusCode) + assert.Equal(t, http.StatusSeeOther, resp.StatusCode) cookies := rpClient.Jar.Cookies(callbackURL) sessionCookie := getCookieFromJar(cookie.Session, cookies) @@ -491,7 +491,7 @@ func selfInitiatedLogout(t *testing.T, rpClient *http.Client, idp *mock.Identity assert.NoError(t, err) resp := get(t, rpClient, logoutURL.String()) - assert.Equal(t, http.StatusTemporaryRedirect, resp.StatusCode) + assert.Equal(t, http.StatusSeeOther, resp.StatusCode) cookies := rpClient.Jar.Cookies(logoutURL) sessionCookie := getCookieFromJar(cookie.Session, cookies) @@ -507,7 +507,7 @@ func logout(t *testing.T, rpClient *http.Client, idp *mock.IdentityProvider) { // Follow redirect to endsession endpoint at identity provider resp = get(t, rpClient, resp.Location.String()) - assert.Equal(t, http.StatusTemporaryRedirect, resp.StatusCode) + assert.Equal(t, http.StatusSeeOther, resp.StatusCode) // Get post-logout redirect URI after successful logout at identity provider logoutCallbackURI := resp.Location @@ -521,7 +521,7 @@ func logout(t *testing.T, rpClient *http.Client, idp *mock.IdentityProvider) { // Follow redirect back to logout callback resp = get(t, rpClient, logoutCallbackURI.String()) - assert.Equal(t, http.StatusTemporaryRedirect, resp.StatusCode) + assert.Equal(t, http.StatusSeeOther, resp.StatusCode) // Get post-logout redirect URI after redirect back to logout callback assert.Equal(t, "https://google.com", resp.Location.String()) diff --git a/pkg/handler/reverseproxy.go b/pkg/handler/reverseproxy.go index c3ba14c..5574df1 100644 --- a/pkg/handler/reverseproxy.go +++ b/pkg/handler/reverseproxy.go @@ -93,7 +93,7 @@ func (rp *ReverseProxy) Handler(src ReverseProxySource, w http.ResponseWriter, r } logger.WithFields(fields).Info("default: unauthenticated: request matches auto-login; redirecting to login...") - http.Redirect(w, r, loginUrl, http.StatusTemporaryRedirect) + http.Redirect(w, r, loginUrl, http.StatusSeeOther) return } diff --git a/pkg/handler/reverseproxy_test.go b/pkg/handler/reverseproxy_test.go index e36d35b..36b8258 100644 --- a/pkg/handler/reverseproxy_test.go +++ b/pkg/handler/reverseproxy_test.go @@ -51,7 +51,7 @@ func TestReverseProxy(t *testing.T) { target := idp.RelyingPartyServer.URL + "/" resp := get(t, rpClient, target) - assert.Equal(t, http.StatusTemporaryRedirect, resp.StatusCode) + assert.Equal(t, http.StatusSeeOther, resp.StatusCode) // redirect should point to local login endpoint loginLocation := resp.Location @@ -59,7 +59,7 @@ func TestReverseProxy(t *testing.T) { // follow redirect to local login endpoint resp = get(t, rpClient, loginLocation.String()) - assert.Equal(t, http.StatusTemporaryRedirect, resp.StatusCode) + assert.Equal(t, http.StatusSeeOther, resp.StatusCode) // redirect should point to identity provider authorizeLocation := resp.Location @@ -70,7 +70,7 @@ func TestReverseProxy(t *testing.T) { // follow redirect to identity provider for login resp = get(t, rpClient, authorizeLocation.String()) - assert.Equal(t, http.StatusTemporaryRedirect, resp.StatusCode) + assert.Equal(t, http.StatusSeeOther, resp.StatusCode) // redirect should point back to relying party callbackLocation := resp.Location @@ -85,7 +85,7 @@ func TestReverseProxy(t *testing.T) { // follow redirect back to relying party resp = get(t, rpClient, callbackLocation.String()) - assert.Equal(t, http.StatusTemporaryRedirect, resp.StatusCode) + assert.Equal(t, http.StatusSeeOther, resp.StatusCode) // finally, follow redirect back to original target, now with a session targetLocation := resp.Location @@ -274,7 +274,7 @@ func TestReverseProxy(t *testing.T) { target := idp.RelyingPartyServer.URL + path resp := get(t, rpClient, target) - assert.Equal(t, http.StatusTemporaryRedirect, resp.StatusCode) + assert.Equal(t, http.StatusSeeOther, resp.StatusCode) }) } }) diff --git a/pkg/mock/openid.go b/pkg/mock/openid.go index ea8de97..1e5297e 100644 --- a/pkg/mock/openid.go +++ b/pkg/mock/openid.go @@ -295,7 +295,7 @@ func (ip *IdentityProviderHandler) Authorize(w http.ResponseWriter, r *http.Requ u.RawQuery = v.Encode() - http.Redirect(w, r, u.String(), http.StatusTemporaryRedirect) + http.Redirect(w, r, u.String(), http.StatusSeeOther) } func (ip *IdentityProviderHandler) Jwks(w http.ResponseWriter, r *http.Request) { @@ -572,7 +572,7 @@ func (ip *IdentityProviderHandler) EndSession(w http.ResponseWriter, r *http.Req return } - http.Redirect(w, r, u.String(), http.StatusTemporaryRedirect) + http.Redirect(w, r, u.String(), http.StatusSeeOther) } type relyingPartyServer struct { diff --git a/pkg/router/router.go b/pkg/router/router.go index 339d102..e02fb9f 100644 --- a/pkg/router/router.go +++ b/pkg/router/router.go @@ -94,7 +94,7 @@ func New(src Source, cfg *config.Config) chi.Router { if cfg.SSO.IsServer() { r.Get("/", func(w http.ResponseWriter, r *http.Request) { - http.Redirect(w, r, paths.OAuth2+paths.Login, http.StatusTemporaryRedirect) + http.Redirect(w, r, paths.OAuth2+paths.Login, http.StatusSeeOther) }) } })