Symptom

We are trying to download files from a JFrog repo which has a backend on Amazon AWS, using QNetworkAccessManager::get().

For JFrog, the authentication uses an HTTP header of type "Authorization: Basic" with username and password.

Then, JFrog responds with a redirection URL to get the file from AWS (if the file is more than 200 KB). This redirected URL contains the full authentication for AWS (2'000+ characters), with tokens directly in the URL (valid for 60s).

However, when the QNetworkAccessManager tries to reach this new URL automatically, we receive a code 400, preventing access to the resource. 

It seems (but not 100% sure) that the QNetworkAccessManager re-sends the original request with the HTTP Authorization headers containing the original authentication (for JFrog) to AWS, and AWS sees a double authentication (HTTP header + URL tokens) and drops the connection !

Tests

• Using the redirected URL directly in a browser (Chrome) works fine (but the authorization headers are not contained when copying the URL).
• Using curl also seems to work fine with the redirection, since curl 7.58 (2018).
• Other technologies (Kotlin) also seem to work fine in some cases.

Options

• Is there any way to get such redirection working (automatically) with Qt 6 already ? Did I miss something ?
• I guess that it would be possible to do this redirection manually by deactivating the automatic redirection, but it would not be practical.
• From what I could read here, in curl 7.58 they decided to implement the removal of custom Authorization header during redirection. Is it something that could be considered in Qt as well ? It's not clear for me whether this is more a hack or something well defined that makes sense.

Best regards.