Authorization header removed after redirect

[carlin-q-scott]

I'm not sure if this is supposed to be a feature because my other custom headers were preserved. Accept-Encoding is doubled on the second request as well.

First Request:

GET http://mydomain HTTP/1.1
X-Intel-Loglevel: DEBUG
Accept: application/json
x-request-id: cd013990-c68f-450a-afb3-f5d31fef08b7
Authorization: my authorization
User-Agent: RestSharp 104.1.0.0
Accept-Encoding: gzip, deflate

First Response:

HTTP/1.1 302 Moved Temporarily
Location: https://mydomain

Second Request:

GET https://mydomain HTTP/1.1
X-Intel-Loglevel: DEBUG
Accept: application/json
x-request-id: cd013990-c68f-450a-afb3-f5d31fef08b7
User-Agent: RestSharp 104.1.0.0
Accept-Encoding: gzip, deflate,gzip, deflate

[haacked]

I believe this is by design of the HttpWebRequest class.

The Authorization header is cleared on auto-redirects and HttpWebRequest automatically tries to re-authenticate to the redirected location. In practice, this means that an application can't put custom authentication information into the Authorization header if it is possible to encounter redirection. Instead, the application must implement and register a custom authentication module. The System.Net.AuthenticationManager and related class are used to implement a custom authentication module. The AuthenticationManager.Register method registers a custom authentication module.

[carlin-q-scott]

I have a registered IAuthenticator that adds the authorization header. Since it is registered with RestSharp rather than HttpWebRequest I think it's the responsibility of RestSharp to register the authenticator with HttpWebRequest.

[haacked]

Ah, ok. Would you be interested in taking a crack at fixing it and submitting a pull request?

[carlin-q-scott]

I just stopped using the old URL. Most likely everyone does that. Until I find it necessary to use the redirect functionality I don't have any interest in fixing this.

I already looked into it a little bit and it looks somewhat complicated because while the interface for System.Net.IAuthenticationModule and RestSharp.IAuthenticator are close, they are not compatible.

[haacked]

I just stopped using the old URL. Most likely everyone does that. Until I find it necessary to use the redirect functionality I don't have any interest in fixing this.

Fair enough.

I already looked into it a little bit and it looks somewhat complicated because while the interface for System.Net.IAuthenticationModule and RestSharp.IAuthenticator are close, they are not compatible.

I have no idea what the rational is behind that. I bet a simple solution is just make the RestSharp implementation implement both interfaces.

But I'll close this for now until someone else feels it's important enough.

[pauldbentley]

Hi,

I am experiencing this issue. I am using calling an API which by the nature of their implementation uses redirects for their "friendly-urls" to the actual URL. On the redirect the authorization is lost.

I'm not sure what the solution is?

Thanks

Paul

[carlin-q-scott]

You can either use the unfriendly-urls or implement the fix suggested by Haacked and me.

[domenu]

You can just assign a CredentialsCache object to the request in the Authenticate method.
Passing these credentials to a request indicates to the request that you allow them to be used, even for subsequent requests (redirects).

From this msdn article:

A CredentialCache will not be removed from the Credentials property when redirecting because WebRequest knows where you will allow your credentials sent. You may also reuse your cache by assigning it to subsequent requests.

So a RestSharp BasicAuthenticator implementation could look like this:

 public class BasicAuthenticator : IAuthenticator
    {
        private readonly string _baseUrl;
        private readonly string _userName;
        private readonly string _password;
        private readonly CredentialCache _credentialCache;

        public BasicAuthenticator(string baseUrl, string userName, string password)
        {
            _baseUrl = baseUrl;
            _userName = userName;
            _password = password;

            _credentialCache = new CredentialCache
            {
                {new Uri(_baseUrl), "Basic", new NetworkCredential(_userName, _password)}
            };
        }

        public void Authenticate(IRestClient client, IRestRequest request)
        {
            request.Credentials = _credentialCache;

            if (request.Parameters.Any(parameter =>
                            parameter.Name.Equals("Authorization", StringComparison.OrdinalIgnoreCase)))
            {
                return;
            }
            request.AddParameter("Authorization", GetBasicAuthHeaderValue(), ParameterType.HttpHeader);
        }


        private string GetBasicAuthHeaderValue()
        {
            return string.Format("Basic {0}",
                            Convert.ToBase64String(Encoding.ASCII.GetBytes(string.Format("{0}:{1}",
                                _userName, _password))));
        }
    }