Forward authorization header on 307 redirect

[kurtanr]

Hello,

I have a downstream service which uses Bearer authentication.
In my reverse proxy project, for a route which matches this downstream service, I have a custom transformation which is adding the Bearer authentication header:

requestTransformContext.ProxyRequest.Headers.Authorization =
  new AuthenticationHeaderValue("Bearer", myJwtAccessToken);

This works great except in one case - if downstream service has UseHttpsRedirection and the yarp cluster destination address is http (not https).

In this case the downstream service replies with 307 temporary redirect. Yarp then makes a call to the https endpoint (AllowAutoRedirect is set to true in a call to ConfigureHttpClient), but without the authorization header, and the downstream service responds with 401 unauthorized.

Is there a way to instruct yarp to include the authorization header in the redirected request?

[karelz]

Triage: Instead of letting YARP handle redirects from backend, you should set up YARP to initiate https requests to the backend instead of http.
YARP is meant to propagate all redirects from backend to the client.

[kurtanr]

Hi Karel, thank you for your answer.

The reverse proxy project I'm working on is an internal company project which will be deployed alongside various other company products (in various bundles). Each product will write their own YARP configuration file. So from my perspective I don't know if the backend exposes http or https (or if it has UseHttpsRedirection enabled).

The idea was to handle this particular use-case in the reverse proxy project to protect the backend developer from incorrectly configuring YARP (it could be that it is better to just let such a request fail with 401, not sure).

Anyway, if there is no simple way to do that, our internal documentation will just mention this particular use-case as something to be aware of, and you can mark the issue as answered.