remove the Location header from HTML step up authentication redirects

zandbelt · zandbelt · commit 5ab1ce7bfa71 · 2025-03-18T13:33:58.000+01:00
as it may conflict with its HTTP 200 status code and confuse middle
boxes

Signed-off-by: Hans Zandbelt &lt;hans.zandbelt@openidc.com&gt;
diff --git a/ChangeLog b/ChangeLog
@@ -1,5 +1,7 @@
 03/18/2025
 - use case insensitive hostname/domain comparison in oidc_check_cookie_domain
+- remove the Location header from HTML based step up authentication redirects
+  as it may conflict with its HTTP 200 status code and confuse middle boxes
 - bump to 2.4.16.9dev
 
 02/17/2025
diff --git a/src/handle/authz.c b/src/handle/authz.c
@@ -528,6 +528,7 @@ static authz_status oidc_authz_24_unauthorized_user(request_rec *r) {
 
 	if (location != NULL) {
 		oidc_debug(r, "send HTML refresh with authorization redirect: %s", location);
+		oidc_http_hdr_out_location_set(r, NULL);
 		html_head = apr_psprintf(r->pool, "<meta http-equiv=\"refresh\" content=\"0; url=%s\">", location);
 		oidc_util_html_send(r, "Stepup Authentication", html_head, NULL, NULL, HTTP_UNAUTHORIZED);
 		r->header_only = 1;
