Credentials are not stripped on a redirect

[wirtsi]

Hey

we have raised an issue at redpanda-data/connect#792 where the following happens

• We speak to an oAuth protected endpoint with a valid token
• Endpoint is happy with the token and redirects me to an endpoint that is secured with a X-Amz-Security-Token URL param (the oauth endpoint adds those)
• The redirected-to endpoint barfs because the initial Authorization header is still present (Message is something like "Only one auth mechanism allowed")
• The preservation of the auth headers is something that happens in the oauth2 library, doing a redirect with http.Client removes them

Now the behavior of preserving Auth headers on redirects is a somewhat grey area of the specs. I'd like to point out though that keeping auth headers is not standard golang behavior ... golang/go@6e87082 introduced a changed where Auth headers and cookies are only preserved on redirect if the target host is a subdomain.

The devs at benthos rightly said that this is something that should be fixed in the oauth library. What do you guys think? Is this a bug?

[imax9000]

Hit this too just now. It's seems like a bug, at the very least because it's inconsistent with http.Client behaviour. Even though redirects are controlled by the service owner, people rarely think about leaking Authorization token when redirecting the user to another domain, so this can also be a security issue in some cases.

[Pival81]

Are there any updates on this? Currently I have to use an oauth2 client to make the first request but stop it from following the redirect, and instead make a second request to the redirected url with a normal http client.

[imax9000]

Are there any updates on this? Currently I have to use an oauth2 client to make the first request but stop it from following the redirect, and instead make a second request to the redirected url with a normal http client.

I've resorted to a slightly more ergonomic workaround: replacing the transport with my own implementation https://github.com/uabluerail/bsky-tools/blob/main/xrpcauth/transport.go

[seankhliao]

This may be difficult to fix: the Transport adds the auth tokens, and the interface it implements is RoundTrip(*Request) (*Response, error).
It has no knowledge of which resource servers the tokens are for, or whether a request is a redirected one.