Bug: SLS endpoint returns Redirector instead of RedirectResponse causing TypeError #1
Description
Description
When accessing the Single Logout Service (SLS) endpoint (/saml2/{idp}/sls), the controller returns an instance of Illuminate\Routing\Redirector instead of Illuminate\Http\RedirectResponse. This causes a TypeError when Laravel attempts to prepare the response, as the framework expects a Response object.
Error Details
text
TypeError: Symfony\Component\HttpFoundation\Response::setContent():
Argument #1 ($content) must be of type ?string, Illuminate\Routing\Redirector given
Stack Trace
text
#0 vendor/laravel/framework/src/Illuminate/Http/Response.php(81): Symfony\Component\HttpFoundation\Response->setContent(Object(Illuminate\Routing\Redirector))
#1 vendor/laravel/framework/src/Illuminate/Http/Response.php(34): Illuminate\Http\Response->setContent(Object(Illuminate\Routing\Redirector))
#2 vendor/laravel/framework/src/Illuminate/Routing/Router.php(939): Illuminate\Http\Response->__construct(Object(Illuminate\Routing\Redirector), 200, Array)
#3 vendor/laravel/framework/src/Illuminate/Routing/Router.php(906): Illuminate\Routing\Router::toResponse(Object(Illuminate\Http\Request), Object(Illuminate\Routing\Redirector))
#4 vendor/laravel/framework/src/Illuminate/Routing/Router.php(821): Illuminate\Routing\Router->prepareResponse(Object(Illuminate\Http\Request), Object(Illuminate\Routing\Redirector))
Affected Code
The issue occurs in the sls method of LogoutController:
php
public function sls(Auth $auth)
{
$errors = $auth->sls(config('saml2.retrieveParametersFromServer'));
if (!empty($errors)) {
// ... error handling ...
return redirect(config('saml2.errorRoute')); // Returns Redirector
}
return redirect(config('saml2.logoutRoute')); // Returns Redirector
}
Expected Behavior
The controller should return an Illuminate\Http\RedirectResponse object, which is compatible with Laravel's HTTP kernel.
Proposed Solution
Replace the redirect() helper with redirect()->to() or use the ResponseFactory:
php
// Instead of:
return redirect(config('saml2.logoutRoute'));
// Use:
return redirect()->to(config('saml2.logoutRoute'));
// or
return response()->redirectTo(config('saml2.logoutRoute'));
Environment
- Laravel Version: 6.x/7.x/8.x/9.x/10.x (tested on 6.4.23)
- PHP Version: 7.3+
- Package Version: Latest
Why This Matters
- Framework Contract: Laravel expects controllers to return Response objects
- Middleware Compatibility: The issue only appears with certain middleware stacks (e.g., when using Passport, custom middleware)
- Extensibility: Developers extending the package may copy this pattern and introduce the same bug in their code
Suggested Fixes for Package Maintainer
Update Controller (Minimal)
php
public function sls(Auth $auth): RedirectResponse
{
// ... logic ...
return redirect()->to(config('saml2.logoutRoute'));
}
Additional Context
- The issue is intermittent and only appears with specific middleware configurations
- Regular Laravel applications auto-convert Redirector to RedirectResponse, but complex middleware stacks can break this magic
- This has been confirmed in production environments with additional middleware (Passport, custom auth, etc.)
Impact
- Critical: Causes HTTP 500 errors during SAML logout flow
- Users cannot complete Single Logout Service (SLO)
- Application logs fill with TypeError exceptions
Thank you for maintaining this package!