From beca770a54b3202cea1a04674825190df34c0f6a Mon Sep 17 00:00:00 2001 From: Valentin Delaye Date: Tue, 17 Feb 2026 18:18:03 +0100 Subject: [PATCH] Do not send Authorization header when redirecting after auth Signed-off-by: Valentin Delaye --- src/main/java/land/oras/auth/HttpClient.java | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/src/main/java/land/oras/auth/HttpClient.java b/src/main/java/land/oras/auth/HttpClient.java index 8938576..e04264f 100644 --- a/src/main/java/land/oras/auth/HttpClient.java +++ b/src/main/java/land/oras/auth/HttpClient.java @@ -525,7 +525,7 @@ private ResponseWrapper executeRequest( newScopes, authProvider); } - return redoRequest(response, builder, handler, newScopes, authProvider); + return redoRequest(uri, response, builder, handler, newScopes, authProvider); } catch (Exception e) { if (e instanceof OrasException) { throw (OrasException) e; @@ -542,6 +542,7 @@ private String getLocationHeader(HttpResponse response) { } private ResponseWrapper redoRequest( + URI originUri, HttpResponse response, HttpRequest.Builder builder, HttpResponse.BodyHandler handler, @@ -572,7 +573,15 @@ private ResponseWrapper redoRequest( // Follow redirect if (shouldRedirect(newResponse)) { String location = getLocationHeader(newResponse); - LOG.debug("Redirecting after auth to {}", location); + URI redirectUri = URI.create(location); + LOG.debug("Redirecting to {} from domain {} to domain {}", location, originUri, redirectUri); + boolean includeAuthHeaderForRedirect = isSameOrigin(originUri, redirectUri); + if (!includeAuthHeaderForRedirect) { + LOG.debug("Skipping auth header for redirect from {} to {}", originUri, redirectUri); + builder = HttpRequest.newBuilder( + builder.build(), (name, value) -> !name.equalsIgnoreCase(Const.AUTHORIZATION_HEADER)); + } + return toResponseWrapper( client.send(builder.uri(URI.create(location)).build(), handler)); }