Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Authorization header when following redirects

When following redirects for a 303 response, in a Chrome, IE, and Firefox, the Authorization header is included.
That's an issue when a request to an internal service respond with a signed S3 URL in the Location header.
S3 will respond with a 400 response, and can't figure out which authentication method to use.

Request to internal service

GET INTERNAL_SERVICE HTTP/1.1
Pragma: no-cache
Origin: https://example.com
Accept-Encoding: gzip, deflate, br
Accept-Language: en-GB,en;q=0.9,en-US;q=0.8,da;q=0.7,de;q=0.6
Authorization: Bearer g6YQjOy3BDu32es8xKdMRNpcQ2Fkrh5NG7y5fDs5
Accept: application/json, text/plain, */*
Cache-Control: no-cache
Authority: example.com
Host: example.com
Connection: close

Response

HTTP/1.1 303 See Other
Date: Tue, 13 Mar 2018 08:55:12 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Connection: close
Server: nginx
location: S3_SIGNED_URL
Cache-Control: no-cache, private
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
Access-Control-Allow-Headers: Content-Type, Accept, Authorization, X-                        
Requested-With
Access-Control-Max-Age: 28800

Request to S3

GET S3_SIGNED_URL HTTP/1.1
Pragma: no-cache
Origin: https://example.com
Accept-Encoding: gzip, deflate, br
Accept-Language: en-GB,en;q=0.9,en-US;q=0.8,da;q=0.7,de;q=0.6
Authorization: Bearer g6YQjOy3BDu32es8xKdMRNpcQ2Fkrh5NG7y5fDs5
Accept: application/json, text/plain, */*
Cache-Control: no-cache
Authority: example.com
Host: BUCKET_NAME.s3.eu-central-1.amazonaws.com
Connection: close

Response

HTTP/1.1 400 Bad Request
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET
Access-Control-Max-Age: 3000
Vary: Origin, Access-Control-Request-Headers, Access-Control-Request-Method
x-amz-request-id: REQUEST_ID
x-amz-id-2: AMZ_ID
Content-Type: application/xml
Transfer-Encoding: chunked
Date: Tue, 13 Mar 2018 09:06:41 GMT
Connection: close
Server: AmazonS3

<?xml version="1.0" encoding="UTF-8"?>
<Error>
   <Code>InvalidArgument</Code>
   <Message>Only one auth mechanism allowed; only the X-Amz-Algorithm     
query parameter, Signature query string parameter or the Authorization 
header should be specified</Message>
   <ArgumentName>Authorization</ArgumentName>
   <ArgumentValue>Bearer g6YQjOy3BDu32es8xKdMRNpcQ2Fkrh5NG7y5fDs5</ArgumentValue>
   <RequestId>REQUEST_ID</RequestId>
   <HostId>HOST_ID</HostId>
</Error>

Is there a way to instruct the browser to ignore the Authorization header, or force S3 to ignore the header?

like image 874
Morten Hauberg Avatar asked Mar 13 '18 10:03

Morten Hauberg


People also ask

Can we pass headers in redirect?

It's impossible to redirect to a page with custom headers set, no matter what language or framework you use. In other words, there's no way to trigger an HTTP redirect and cause the client (browser) to add a custom header. You might be thinking that using multiple header() calls should work just fine. But it won't.

Does browser automatically send Authorization header?

discussion. Only types like Basic , NTLM of Authorization header is sent automatically by browser in following cases: The Authorization header field allows a user agent to authenticate itself with an origin server – usually, but not necessarily, after receiving a 401 (Unauthorized) response.

How do I write an Authorization header?

It is a simple authentication scheme built into the HTTP protocol. The client sends HTTP requests with the Authorization header that contains the word Basic, followed by a space and a base64-encoded(non-encrypted) string username: password. For example, to authorize as username / Pa$$w0rd the client would send.

How does Authorization header work?

The HTTP Authorization request header can be used to provide credentials that authenticate a user agent with a server, allowing access to a protected resource. The Authorization header is usually, but not always, sent after the user agent first attempts to request a protected resource without credentials.


1 Answers

Kind of a kludge, but there is a workaround to this situation by using CloudFront to front S3. More information posted here: ReactJS- remove HTTP header before redirect

like image 200
Vinnie Avatar answered Sep 18 '22 14:09

Vinnie