HTTP Redirects Drop Authentication Credentials RRS feed

  • Question

  • As reported on Twitter, when using the Scheduler configured for an HTTP request with basic auth enabled, if the endpoint redirects to another location, the redirect is honored but the credentials are omitted.

    To help illustrate the issue, I created a demo (source code). This code creates at two endpoints, `here/` which redirects to `there/`, both of which require authentication to be supplied (but any username/password combination is accepted).

    With curl, you can see how I expect a client to pass the credentials following a redirect: master $ curl -u any:any
    This resource resides temporarily at <a href=""></a>. master $ curl -L -u any:any
    You got there!

    The verbose output of the latter command can be seen at this gist. Other clients, such as browsers, httpie, and wget also include the credentials when following the redirect.

    If you configure the Azure Scheduler to use and configure some Basic credentials, the task will fail when it redirects to /auth-demo/there/ and gets a 401 response because it hasn't passed the credentials.

    The HTTP client used by Azure Scheduler should match the behavior of these other user agents and pass the credentials.

    Thursday, July 5, 2018 1:42 PM


  • Hi Jason, Apologies for the delayed response. I've been working internally with the Scheduler team to address your feedback. Still waiting for an official update. In the meantime, I recommend evaluating Azure's Logic App service for your Scheduler-based scenarios as Logic App is a super set of Scheduler's features. I am also following up internally to see if Logic App's http client exhibits a similar behavior upon Http 302 redirects.
    Wednesday, July 18, 2018 11:21 PM