Sam
03/31/2023, 1:37 AMsendWithoutRequest
block, it looks for a 401 response with a WWW-Authenticate
header with a matching realm
and then sends that token? Is there any way to short-circuit or restrict that?Aleksei Tirman [JB]
03/31/2023, 4:03 AMsendWithoutRequest
returns true
an initial request contains the Authorization
header with the Bearer token.Sam
03/31/2023, 4:04 AMSam
03/31/2023, 4:06 AMAleksei Tirman [JB]
03/31/2023, 4:06 AMrefreshTokens
block to obtain new tokens.Aleksei Tirman [JB]
03/31/2023, 4:08 AMSam
03/31/2023, 4:10 AMbearer
auth configured for each domain with its own realm
. If Domain B were compromised they could send a malicious WWW-Authenticate
header containing A's realm
and the client would automatically send them my token for A.
Basically, there's no way to say "apply this auth provider to ONLY these requests". You can tell it to eagerly send for certain requests, but it always falls back on that header.Sam
03/31/2023, 4:11 AMSam
03/31/2023, 4:11 AMHttpClient
to be constructed for each domainSam
03/31/2023, 4:12 AMAleksei Tirman [JB]
03/31/2023, 4:16 AMAuthorization
header would be the solution.Sam
03/31/2023, 4:19 AMSam
03/31/2023, 4:22 AMsendIf
or the like to provide a fully custom behavior, but this was just a hypothetical anyway.
Thanks for the chat!Rustam Siniukov
03/31/2023, 8:09 AMsendWithoutRequest
accepts HttpRequestBuilder
, you can check which domain the request is made toSam
03/31/2023, 1:35 PMRustam Siniukov
03/31/2023, 1:44 PMrealm
matches (or null)Sam
03/31/2023, 2:59 PM