Do not send Authorization header when redirecting after auth (#561)

Author: jonesbusy

src/main/java/land/oras/auth/HttpClient.java

@@ -525,7 +525,7 @@ private <T> ResponseWrapper<T> executeRequest(
                         newScopes,
                         authProvider);
             }
-            return redoRequest(response, builder, handler, newScopes, authProvider);
+            return redoRequest(uri, response, builder, handler, newScopes, authProvider);
         } catch (Exception e) {
             if (e instanceof OrasException) {
                 throw (OrasException) e;
@@ -542,6 +542,7 @@ private <T> String getLocationHeader(HttpResponse<T> response) {
     }
 
     private <T> ResponseWrapper<T> redoRequest(
+            URI originUri,
             HttpResponse<T> response,
             HttpRequest.Builder builder,
             HttpResponse.BodyHandler<T> handler,
@@ -572,7 +573,15 @@ private <T> ResponseWrapper<T> redoRequest(
                 // Follow redirect
                 if (shouldRedirect(newResponse)) {
                     String location = getLocationHeader(newResponse);
-                    LOG.debug("Redirecting after auth to {}", location);
+                    URI redirectUri = URI.create(location);
+                    LOG.debug("Redirecting to {} from domain {} to domain {}", location, originUri, redirectUri);
+                    boolean includeAuthHeaderForRedirect = isSameOrigin(originUri, redirectUri);
+                    if (!includeAuthHeaderForRedirect) {
+                        LOG.debug("Skipping auth header for redirect from {} to {}", originUri, redirectUri);
+                        builder = HttpRequest.newBuilder(
+                                builder.build(), (name, value) -> !name.equalsIgnoreCase(Const.AUTHORIZATION_HEADER));
+                    }
+
                     return toResponseWrapper(
                             client.send(builder.uri(URI.create(location)).build(), handler));
                 }