How do I send authorization header with remote redirect?

Hi,

I understand that automatically copying the authorization header to a remote redirection has a potential security issue, but is there a way to allow this for a whitelist? My requirement is to send a JWT when redirecting from my login server back to my application server. My current code is similar to this (on my login server):

res.header( 'x-authorization', "Bearer " + JWT );
res.redirect(307, 'http://appServer:5001/?key=value' );

Cheers,
Simon

Author: Fantashit

4 thoughts on “How do I send authorization header with remote redirect?

  1. A redirection in the HTTP protocol doesn’t support adding any headers to the target location. It’s basically just a header in itself and only allows for a URL.

    It looks something like this:

    HTTP/1.1 307 Temporary Redirect
    Location: http://appServer:5001/?key=value
    

    When you are adding your x-authorization header with res.header('X-Authorization', 'Bearer ' + jwt) you are only sending that header back to the client:

    HTTP/1.1 307 Temporary Redirect
    Location: http://appServer:5001/?key=value
    X-Authorization: ...
    

    Some possible solutions:

    1. If the servers share a common domain, create a cookie on a domain that spans both (e.g. create cookie on domain.com if login is at auth.domain.com and the app at app.domain.com)

    2. If you only need the JWT in your client JavaScript, consider adding it as a search param to the redirect URL. The search params won’t be sent to the server when requesting a URL, so the token shouldn’t end up in any logs.

    res.redirect(307, `http://appServer:5001/?key=value#token=${jwt}`)
    const token = (new URL(document.location)).searchParams.get('token')
    1. If it’s only one request, you could to the request from your server and pipe the response back.
    // Simplified!
    http.request(`http://appServer:5001/?key=value`, { 'Authorization': 'Bearer ' + jwt }).on('response', (response) => response.pipe(res))
  2. @LinusU Many thanks.
    Well I’ve learnt something! I wasn’t aware that search params (#) won’t be sent to the server – cool.

    As all my app’ servers will be in the same domain, I’ve already started coding with the JWT in a cookie.

    Thanks for your help.

    Cheers,
    Simon

  3. @hilaryhacksel It’s not really that any RFC says it shouldn’t be that way, it’s just that the standard only allows for a single value; the url to redirect to. Thus there is just nowhere to put that extra information ☺️

  4. Send a token using a URL is a super bad idea in terms of security.

    Use cookie.

    res.cookie('token', 'Your token', {
    	maxAge: 60000, // Lifetime
    })
    
    return res.redirect('http://localhost:8080/') // Front-End App

Comments are closed.