diff --git a/src/Microsoft.IdentityModel.Protocols.SignedHttpRequest/SignedHttpRequestHandler.cs b/src/Microsoft.IdentityModel.Protocols.SignedHttpRequest/SignedHttpRequestHandler.cs
index 24e5fc7163..9e47ee9ed9 100644
--- a/src/Microsoft.IdentityModel.Protocols.SignedHttpRequest/SignedHttpRequestHandler.cs
+++ b/src/Microsoft.IdentityModel.Protocols.SignedHttpRequest/SignedHttpRequestHandler.cs
@@ -36,14 +36,21 @@ public class SignedHttpRequestHandler
         };
 
         private readonly Uri _baseUriHelper = new Uri("http://localhost", UriKind.Absolute);
-        internal readonly HttpClient _defaultHttpClient = new HttpClient();
+
+        // Redirects are disabled on the default client. Consumers who need
+        // different behaviour can supply their own client via
+        // SignedHttpRequestValidationParameters.HttpClientProvider.
+        internal readonly HttpClient _defaultHttpClient = new HttpClient(
+            new HttpClientHandler { AllowAutoRedirect = false })
+        {
+            Timeout = TimeSpan.FromSeconds(10)
+        };
 
         /// <summary>
         /// Initializes a new instance of <see cref="SignedHttpRequestHandler"/>.
         /// </summary>
         public SignedHttpRequestHandler()
         {
-            _defaultHttpClient.Timeout = TimeSpan.FromSeconds(10);
         }
 
         #region SignedHttpRequest creation