Details
-
Bug
-
Resolution: Unresolved
-
P2: Important
-
None
-
6.6.0
-
None
Description
Symptom
We are trying to download files from a JFrog repo which has a backend on Amazon AWS, using QNetworkAccessManager::get().
For JFrog, the authentication uses an HTTP header of type "Authorization: Basic" with username and password.
Then, JFrog responds with a redirection URL to get the file from AWS (if the file is more than 200 KB). This redirected URL contains the full authentication for AWS (2'000+ characters), with tokens directly in the URL (valid for 60s).
However, when the QNetworkAccessManager tries to reach this new URL automatically, we receive a code 400, preventing access to the resource.
It seems (but not 100% sure) that the QNetworkAccessManager re-sends the original request with the HTTP Authorization headers containing the original authentication (for JFrog) to AWS, and AWS sees a double authentication (HTTP header + URL tokens) and drops the connection !
Tests
- Using the redirected URL directly in a browser (Chrome) works fine (but the authorization headers are not contained when copying the URL).
- Using curl also seems to work fine with the redirection, since curl 7.58 (2018).
- Other technologies (Kotlin) also seem to work fine in some cases.
Options
- Is there any way to get such redirection working (automatically) with Qt 6 already ? Did I miss something ?
- I guess that it would be possible to do this redirection manually by deactivating the automatic redirection, but it would not be practical.
- From what I could read here, in curl 7.58 they decided to implement the removal of custom Authorization header during redirection. Is it something that could be considered in Qt as well ? It's not clear for me whether this is more a hack or something well defined that makes sense.
Best regards.