dotnet · twsouthwick · Feb 17, 2023 · Feb 17, 2023 · Feb 17, 2023 · Feb 17, 2023
diff --git a/...spNetCore.SystemWebAdapters.CoreServices/Authentication/RemoteAppAuthenticationService.cs b/...spNetCore.SystemWebAdapters.CoreServices/Authentication/RemoteAppAuthenticationService.cs
@@ -109,21 +109,29 @@ internal static void AddHeaders(IEnumerable<string> headersToForward, HttpReques
         if (headersToForward.Any())
         {
             headerNames = headerNames.Where(headersToForward.Contains);
-        }
-
-        foreach (var headerName in headerNames)
-        {
-            // Workaround for an issue identified by https://github.com/dotnet/systemweb-adapters/issues/228.
-            // HttpClient wrongly uses comma (",") instead of semi-colon (";") as a separator for Cookie headers.
-            // To mitigate this, we concatenate them manually and put them back as a single header value.
-            // This workaround can be removed once we target .NET 7+ as Kestrel is fixed there.
-            if (string.Equals(headerName, HeaderNames.Cookie, StringComparison.OrdinalIgnoreCase))
-            {
-                authRequest.Headers.Add(headerName, string.Join("; ", originalRequest.Headers[headerName].ToArray()));
-                continue;
-            }
-
-            authRequest.Headers.Add(headerName, originalRequest.Headers[headerName].ToArray());
+        }
+
+        foreach (var headerName in headerNames)
+        {
+            var originalHeaders = (IEnumerable<string>)originalRequest.Headers[headerName];
+
+            // Workaround for an issue identified by https://github.com/dotnet/systemweb-adapters/issues/228.
+            // HttpClient wrongly uses comma (",") instead of semi-colon (";") as a separator for Cookie headers.
+            // To mitigate this, we concatenate them manually and put them back as a single header value.
+            // This workaround can be removed once we target .NET 7+ as Kestrel is fixed there.
+            if (string.Equals(headerName, HeaderNames.Cookie, StringComparison.OrdinalIgnoreCase))
+            {
+                authRequest.Headers.Add(headerName, string.Join("; ", originalHeaders));
+                continue;
+            }
+
+            // Workaround for an issue when adding an empty Authorization header
+            if (string.Equals(headerName, HeaderNames.Authorization, StringComparison.OrdinalIgnoreCase))
+            {
+                originalHeaders = originalHeaders.Where(x => !string.IsNullOrEmpty(x));
+            }
+
+            authRequest.Headers.Add(headerName, originalHeaders);
         }
     }
 

diff --git a/...ystemWebAdapters.CoreServices.Tests/Authentication/RemoteAppAuthenticationServiceTests.cs b/...ystemWebAdapters.CoreServices.Tests/Authentication/RemoteAppAuthenticationServiceTests.cs
@@ -63,6 +63,20 @@ public static IEnumerable<object[]> GetHeadersForConcatenation()
         {
             new Dictionary<string, StringValues>(){ { "Cookie", new StringValues(new[] { "1", "2" }) } },
             new Dictionary<string, StringValues>(){ { "Cookie", new StringValues(new[] { "1; 2" }) } }
+        };
+
+        // Authorization header with a token
+        yield return new object[]
+        {
+            new Dictionary<string, StringValues>(){ { "Authorization", new StringValues("TOKEN") } },
+            new Dictionary<string, StringValues>(){ { "Authorization", new StringValues("TOKEN") } }
+        };
+
+        // Empty authorization header
+        yield return new object[]
+        {
+            new Dictionary<string, StringValues>(){ { "Authorization", new StringValues(string.Empty) } },
+            new Dictionary<string, StringValues>()
         };
     }
 }