follow_redirects dropping Bearer token header

[ashic]

It appears that if we have follow_redirects set to True, and the server issues a redirect, bearer tokens aren't added to the redirected request. I'm resorting to code like this:

        async with httpx.AsyncClient(transport=transport, follow_redirects=False, headers={"Authorization": auth_header}) as client:
            r = await client.get(url, timeout=httpx.Timeout(30))
            if r.status_code == 302:
                location = r.headers['location']
                r = await client.get(location, timeout=httpx.Timeout(30))

In the above, if follow_redirects is set to True, I'm getting a 401. Shouldn't headers be copied into redirected requests?

This could be related to: #3231 and #2088

[tomchristie]

Perhaps you're seeing a redirect to a different host/scheme?

Auth headers are maintained, unless the origin changes.

(Perhaps a useful pointer for some more detailed "redirect behaviours" docs?)

Refs...

httpx/httpx/_client.py

Line 455 in 609df7e

def _build_redirect_request(self, request: Request, response: Response) -> Request:

httpx/httpx/_client.py

Line 526 in 609df7e

def _redirect_headers(self, request: Request, url: URL, method: str) -> Headers:

[ashic]

So, just investigated it further. The redirect is to a different domain. Notes:

1. original request is to: x.y.z.com
2. redirect's location header is to x.a.b.com

It appears that the auth header set on the client does not carry through to the redirected request if follow_redirects is set to True. However, if I use the same client to explicitly make a call to the new location (as in the code sample), then it works as expected.

Is this expected behaviour? (I should specify that for better or worse, the same bearer token works for both the initial and redirected location).

[ashic]

Hmm... the documentation doesn't seem to specify anything about redirects and domains, though.

[tomchristie]

Typo. That should read "doesn't". 😅

I suppose we need something like the following?...

Redirects & Authentication.

When following HTTP cross-domain redirects, any Authentication header present on the request will be automatically stripped on the redirect in order to prevent leaking credentials.

[findmyway]

Better to add this part to the doc. I just spent some time on confirming this part 😄

[tomchristie]

@findmyway Yep agree. Could you open an issue for this? Let's document this behaviour somewhere on https://www.python-httpx.org/advanced/authentication/

[findmyway]

Filed at #3334