Skip to content

Update redirect policy to clear auth header#27838

Merged
samvaity merged 2 commits intoAzure:mainfrom
samvaity:update-redirect
Mar 30, 2022
Merged

Update redirect policy to clear auth header#27838
samvaity merged 2 commits intoAzure:mainfrom
samvaity:update-redirect

Conversation

@samvaity
Copy link
Member

@samvaity samvaity commented Mar 23, 2022

Update redirect policy to clear auth header when creating the redirect request.

@ghost ghost added the Azure.Core azure-core label Mar 23, 2022
@samvaity samvaity requested a review from pallavit March 23, 2022 20:21
@samvaity samvaity marked this pull request as ready for review March 28, 2022 18:36
@samvaity samvaity requested a review from pallavit March 28, 2022 18:36
srnagar
srnagar reviewed Mar 28, 2022
View reviewed changes
sdk/core/azure-core/src/main/java/com/azure/core/http/policy/RedirectPolicy.java

// Clear the authorization header to avoid the client to be redirected to an untrusted third party server
// causing it to leak your authorization token to.
httpResponse.getHeaders().remove("Authorization");
Copy link
Member

@srnagar srnagar Mar 28, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we remove the "Authorization" header, how does the redirected request get authorized?

Copy link
Member Author

@samvaity samvaity Mar 28, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it is expected behavior to remove the authorization header before we redirect for security reasons.
So that we don't forward the authorization token to an untrusted/unwanted site.

It could be the service's responsibility to set the auth tokens accordingly in the redirect request so that it is forwarded correctly I would think.

Ref: Azure/azure-sdk-for-net#22876 (comment)

@pallavit
Copy link
Contributor

pallavit commented Mar 28, 2022

One other thing that came up as part of ACR investigation was that any time a service call returned a redirect return code - we lost the headers of the original request(which is intentional) but ACR needs to intercept one of those headers. As of now I am handling this via an internal ACR policy. I am not sure if this is a common enough scenario to be in the core? I am curious what others think?

@samvaity samvaity requested a review from srnagar March 29, 2022 03:00
pallavit
pallavit approved these changes Mar 29, 2022
View reviewed changes
Copy link
Contributor

@pallavit pallavit left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:shipit:

@samvaity samvaity requested a review from pallavit March 30, 2022 17:38
@samvaity samvaity merged commit 83ec004 into Azure:main Mar 30, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alzimmermsft alzimmermsft alzimmermsft approved these changes

@srnagar srnagar srnagar approved these changes

@anuchandy anuchandy Awaiting requested review from anuchandy anuchandy is a code owner

@lmolkova lmolkova Awaiting requested review from lmolkova

@vcolin7 vcolin7 Awaiting requested review from vcolin7 vcolin7 is a code owner

@mssfang mssfang Awaiting requested review from mssfang

@JonathanGiles JonathanGiles Awaiting requested review from JonathanGiles JonathanGiles is a code owner

@billwert billwert Awaiting requested review from billwert

@kasobol-msft kasobol-msft Awaiting requested review from kasobol-msft

@pallavit pallavit Awaiting requested review from pallavit

Assignees

No one assigned

Labels

Azure.Core azure-core

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@samvaity @pallavit @alzimmermsft @srnagar