-
Notifications
You must be signed in to change notification settings - Fork 7.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HTTPS request does not send the Authorization header while HTTP request sends it without any problem #1037
Comments
Have you verified that when you use https that the line,
, is reached? |
Is OkHttp included in your app? Is the endpoint redirecting you across hosts? OkHttp strips headers across host redirects for safety purposes. |
Hi Jake. I work with the Som (OP) and have been debugging this issue. It seems like when the word "Authorization" is sent in the header it is not passed as the other headers are. However, when I change this word to anything else (e.g. customAuth) it is sent as per usual. So my suspicion is that Authorization is some kind of keyword which when used via HTTPS, goes missing? "customAuth" is the exact same data that is in "Authorization" and it's behaviour does not change when I change to HTTPS. (I'm using Fiddler to intercept my packets.) Screenshots of intercepted headers: Do you have any more information on this behaviour? Is it expected? unexpected? Thank you :) |
OkHttp strips the "Authorization" header when redirected across hosts (connections) via a 3xx response from the original host. |
So after revisiting the issue, we worked out you were entirely correct about it being a redirect issue. For those interested: We are using Django as our backend and by default when you do not provide a trailing slash on the endpoint Django redirects from the non-slash endpoint to the slash endpoint. You can turn this behaviour off if you do not want to append slash's to your endpoints. For more information: https://docs.djangoproject.com/en/dev/ref/settings/#append-slash Thanks for your help Jake. |
Great! Glad it's resolved. |
I am having a problem with accessing HTTPS urls with Retrofit. I am passing a custom header in the following format
Authorization
=Token 121231ASDFSDF
This gets passed in the Retrofit network call when the App.BASE_URL is http://app.mydomain.com but when App.BASE_URL = https://app.mydomain.com this authorization header is not being passed and my backend gives an error
retrofit client
request interceptor
The text was updated successfully, but these errors were encountered: