Is it correct behaviour for an HTTP client to trim the :443 port from a 302 redirect?
I notice that web browsers do this. So, if redirected to https://website.domain.com:443 they actually subsequently request https://website.domain.com. I coudln't find a clear answer in the standard.
I am writing an iOS App that is interacting with an HTTP authentication server that is explicitly adding :443 to a 302 redirect. My app follows the redirect verbatim, but unfortunately this makes the SSO Login server reject the authentication attempt because it's performing hostname verification.
It deems login.domain.com:443 to be different from login.domain.com.
The flow is:
- Request https://website.domain.com/protected_page
- Am redirected to https://login.domain.com
- login.domain.com redirects to https://login.domain.com:443/auth
- At this point a browser would redirect to https://login.domain.com/auth
- My App redirects verbatim to https://login.domain.com:443/auth
Is my App's behaviour correct?
Is the login server's assertion that login.domain.com:443 is not the same domain as login.domain.com correct?
Well, you have come across a design fault in the login server.
RFC 3986, section 3.2.3 states that
I.e. any URI parser should realize that if the port is omitted, default value of the port must be used, consequently https://login.domain.com and https://login.domain.com:443 are the same URI component.
What you can do is alter the URI if this is needed for login server to accept it.