@@ -525,7 +525,7 @@ private <T> ResponseWrapper<T> executeRequest(
525525 newScopes ,
526526 authProvider );
527527 }
528- return redoRequest (response , builder , handler , newScopes , authProvider );
528+ return redoRequest (uri , response , builder , handler , newScopes , authProvider );
529529 } catch (Exception e ) {
530530 if (e instanceof OrasException ) {
531531 throw (OrasException ) e ;
@@ -542,6 +542,7 @@ private <T> String getLocationHeader(HttpResponse<T> response) {
542542 }
543543
544544 private <T > ResponseWrapper <T > redoRequest (
545+ URI originUri ,
545546 HttpResponse <T > response ,
546547 HttpRequest .Builder builder ,
547548 HttpResponse .BodyHandler <T > handler ,
@@ -572,7 +573,15 @@ private <T> ResponseWrapper<T> redoRequest(
572573 // Follow redirect
573574 if (shouldRedirect (newResponse )) {
574575 String location = getLocationHeader (newResponse );
575- LOG .debug ("Redirecting after auth to {}" , location );
576+ URI redirectUri = URI .create (location );
577+ LOG .debug ("Redirecting to {} from domain {} to domain {}" , location , originUri , redirectUri );
578+ boolean includeAuthHeaderForRedirect = isSameOrigin (originUri , redirectUri );
579+ if (!includeAuthHeaderForRedirect ) {
580+ LOG .debug ("Skipping auth header for redirect from {} to {}" , originUri , redirectUri );
581+ builder = HttpRequest .newBuilder (
582+ builder .build (), (name , value ) -> !name .equalsIgnoreCase (Const .AUTHORIZATION_HEADER ));
583+ }
584+
576585 return toResponseWrapper (
577586 client .send (builder .uri (URI .create (location )).build (), handler ));
578587 }
0 commit comments