Synthetic API test is failing when sending auth token to AWS image redirect

My script is successfully creating an Authorization Bearer token which I then send to my media API endpoint that results in a redirect to an AWS image retrieve. This retrieve is failing with this message:

Only one auth mechanism allowed; only the X-Amz-Algorithm query parameter, Signature query string parameter or the Authorization header should be specified

The problem is that the original Authorization Bearer token that I’ve generated is also getting passed along in the header of the resulting image request (redirect) which also contains the X-Amz-Algorithm param.

Is there a way to prevent the Authorization Bearer from being sent to the redirect/subsequent requests?

After much Googling, I found that this used to be a problem in older versions of curl but was fixed in newer versions.

My second thought to avoid the issue was to not follow redirects by adding this to no avail:

headers: {
‘Authorization’: 'Bearer ’ + access_token,
‘followRedirect’: false,
‘followAllRedirects’: false

My thought was to just inspect the header and confirm the ‘location:’ is correct instead of actually following it but nothing seems to prevent that redirect from happening.

Any suggestions would be greatly appreciated.

I found this answer at SO… “this is normal behavior for any HTTP client to resend all the headers to redirect location which they have sent to the original URL. There is nothing that you can do here. But most of the HTTP clients will resend the “Authorization” header only if the redirect location is on the same domain/origin.” java - How to remove authorization header in a http 302 response - Stack Overflow

1 Like