Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-126851

Authorization headers issues with HTTPS redirection

    XMLWordPrintable

Details

    • Bug
    • Resolution: Unresolved
    • P2: Important
    • None
    • 6.6.0
    • Network
    • None
    • Windows

    Description

      Symptom

      We are trying to download files from a JFrog repo which has a backend on Amazon AWS, using QNetworkAccessManager::get().

      For JFrog, the authentication uses an HTTP header of type "Authorization: Basic" with username and password.

      Then, JFrog responds with a redirection URL to get the file from AWS (if the file is more than 200 KB). This redirected URL contains the full authentication for AWS (2'000+ characters), with tokens directly in the URL (valid for 60s).

      However, when the QNetworkAccessManager tries to reach this new URL automatically, we receive a code 400, preventing access to the resource. 

      It seems (but not 100% sure) that the QNetworkAccessManager re-sends the original request with the HTTP Authorization headers containing the original authentication (for JFrog) to AWS, and AWS sees a double authentication (HTTP header + URL tokens) and drops the connection !

      Tests

      • Using the redirected URL directly in a browser (Chrome) works fine (but the authorization headers are not contained when copying the URL).
      • Using curl also seems to work fine with the redirection, since curl 7.58 (2018).
      • Other technologies (Kotlin) also seem to work fine in some cases.

      Options

      • Is there any way to get such redirection working (automatically) with Qt 6 already ? Did I miss something ?
      • I guess that it would be possible to do this redirection manually by deactivating the automatic redirection, but it would not be practical.
      • From what I could read here, in curl 7.58 they decided to implement the removal of custom Authorization header during redirection. Is it something that could be considered in Qt as well ? It's not clear for me whether this is more a hack or something well defined that makes sense.

      Best regards.

      Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          People

            manordheim Mårten Nordheim
            a.habersaat Alexandre Habersaat
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:

              Gerrit Reviews

                There are no open Gerrit changes