阻止curl在302重定向上发送Authorization标头 [英] Stopping curl from sending Authorization header on 302 redirect

问题描述

我正在使用 curl 连接到REST API。 REST API在 Authorization 标头中使用Bearer令牌。因此，我的 curl 调用看起来像这样：

I am using curl to connect to a REST API. The REST API uses a Bearer token in the Authorization header. So my curl call looks like this:

curl -H "Authorization: Bearer <token>" https://www.example.com/api

此API已开始返回302重定向作为响应

This API has started returning a 302 redirect in response to my API call.

我添加了 -L 选项来指示 curl 遵循重定向：

I added the -L option to instruct curl to follow the redirect:

curl -L -H "Authorization: Bearer <token>" https://www.example.com/api

现在 curl 确实执行了重定向。

Now curl does perform the redirect.

这是问题：curl正在发送自定义的 Authorization 标头与重定向。我已经使用 -v 选项对此进行了验证，因此它向我显示了它正在发送的标头。

Here's the problem: curl is sending the custom Authorization header along with the redirect. I have verified this using the -v option so it shows me the headers it's sending.

新服务器（我相信Windows Azure）实际上无法使用400状态代码调用，因为它不喜欢 Authorization 标头。重定向的URL根本不需要授权标头。

The new server (Windows Azure I believe) actually fails the call with a 400 status code because it does not like the Authorization header. The redirected URL does not want an authorization header at all.

因此，如何获取 curl 不发送我的自定义 Authorization 重定向标头？还是有另一种方式指定 Authorization 标头来避免该问题。

So, how can I get curl to not send my custom Authorization header on redirects? Or is there another way to specify the Authorization header that will avoid the issue.

推荐答案

此问题已在 curl 7.58.0 中修复。特别是为了避免将凭据泄漏到重定向位置。

This has been fixed in curl 7.58.0. Specifically to avoid leaking the credentials to the redirect location.

使用curl 7.58.0可以在不进行任何更改的情况下正常工作。如果仍要通过凭据，则必须使用-受位置信任的选项。

With curl 7.58.0 it should work without making any changes. If you still want to pass through the credentials, you have to use the --location-trusted option.

除了使用 -L 选项解析 Location not 之外，没有较早版本的解决方法c>自己动手，并对新位置进行单独的请求。 （如Matt Houser所述）

There are no workarounds for earlier versions except for not using the -L option, parsing the Location field yourself and doing a separate request to the new location. (as mentioned by Matt Houser)

您可以找到有关此更改的更多信息此处。

You can find some more information on this change here.

这篇关于阻止curl在302重定向上发送Authorization标头的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！