Update redirect policy to clear auth header #27838
Conversation
ghost
added
the
sdk/core/azure-core/src/main/java/com/azure/core/http/policy/RedirectPolicy.java
Outdated
Show resolved
Hide resolved
sdk/core/azure-core/src/test/java/com/azure/core/http/policy/RedirectPolicyTest.java
Show resolved
Hide resolved
samvaity
requested review from
JonathanGiles,
alzimmermsft,
anuchandy,
billwert,
kasobol-msft,
lmolkova,
mssfang,
srnagar and
vcolin7
as code owners
|
|
||
| // Clear the authorization header to avoid the client to be redirected to an untrusted third party server | ||
| // causing it to leak your authorization token to. | ||
| httpResponse.getHeaders().remove("Authorization"); |
There was a problem hiding this comment.
If we remove the "Authorization" header, how does the redirected request get authorized?
There was a problem hiding this comment.
I think it is expected behavior to remove the authorization header before we redirect for security reasons.
So that we don't forward the authorization token to an untrusted/unwanted site.
It could be the service's responsibility to set the auth tokens accordingly in the redirect request so that it is forwarded correctly I would think.
|
One other thing that came up as part of ACR investigation was that any time a service call returned a redirect return code - we lost the headers of the original request(which is intentional) but ACR needs to intercept one of those headers. As of now I am handling this via an internal ACR policy. I am not sure if this is a common enough scenario to be in the core? I am curious what others think? |
4 participants
Update redirect policy to clear auth header when creating the redirect request.