HttpClient 403 Error in .NET Core 2.1 rc1

[jesslilly]

Hello. I was using some HttpClient code in an application with ASP.NET MVC Core 2.0 and it was working fine. Upon upgrading to .NET Core 2.1 rc1, I am now getting 403 errors with this code.

Example Code

.NET Core 2.0

• With this example code I can get a return code OK with .NET Core 2.0.
• The Auth header looks correct:
  

.NET Core 2.1 rc1

• With the same code, I switch to .NET Core 2.1 rc1 and I get a Forbidden response (403).
• When I debug past client.SendAsync, the request.Header.Authorization is null.
  

We have similar code with a different API in the same project with rc1 and it is working fine. It may have something to do with the API service.

[karelz]

Does your request involve redirection? We fixed bugs in 2.1 around HTTP spec compliance of manually added headers and their behavior during redirection (e.g. cookies). If that's so, it would be by design (BTW: It also matches .NET Framework behavior). Can you please confirm you're using redirects?

Assuming the answer is yes, as a workaround, you could turn off automatic redirection and add your manual headers again. Would that work for you?

[jesslilly]

Hi @karelz. Thank you very much for the quick response. My buddy did a little work on this yesterday and noticed when running the same request in fiddler, he got a 301.

That would explain why the Auth header is getting removed (reference: authorization-header-is-lost-on-redirect )

I can get the code to WORK again by putting a trailing slash after the ID in the URL like this:

var requestUri = "https://blah/blah/blah/1/?blah=2";

I do have a query string on the URL in my actual code, but I was not sure if it mattered.

So what is happening? I think the API I am trying to call is giving me a a redirect to a new URL (with a slash at the end) and HttpClient is trying to process the redirect, but failing b/c the Auth header is missing and thus giving a 403?

I will investigate turning off automatic redirection or maybe just changing my code to include the slash.

[jesslilly]

When I add this code:

        var handler = new HttpClientHandler()
        {
            AllowAutoRedirect = false                
        };
        var client = new HttpClient(handler);

I get a 301 response code as expected.

[karelz]

Great, sounds like you got it resolved. BTW: Your summary above is correct.
Closing. Let us know if you need more help / guidance. Thanks!