I have run into an issue related to WebSockets. I have a WebSocket endpoint (with Netty engine) which requires "bearer" authorization. Although the client is configured to always send the tokens:

Auth {
    bearer {
        sendWithoutRequest { true }
        refreshTokens {
            BearerTokens(requestToken(...), "")
        }
    }
}

it does not send an

Authorization

header when it connects first. Therefore the server correctly responds with status 401. From this point the behaviour differs for the CIO and the Java client engines: • the CIO engine detects the 401 status, requests the token using

refreshTokens

, connects again now with an

Authorization

header included, and the connections succeeds with status 101. • the Java engine does not detect the 401 status but fails with:

failed with exception: <http://java.net|java.net>.http.WebSocketHandshakeException

This must be a bug, right? (I use Ktor 3-beta-1 but the behaviour was the same with the latest Ktor 2.)

How do you check that the

Authorization

header isn't sent? Can you please file the the Java engine issue?

How do you check that the

Authorization

header isn't sent?

By logging the request on the client side:

2024-01-18 10:10:24,635 INFO [DefaultDispatcher-worker-5] io.ktor.client.HttpClient - REQUEST: <ws://localhost:40010/websocket>
METHOD: HttpMethod(value=GET)
COMMON HEADERS
-> Accept: */*
-> Accept-Charset: UTF-8
CONTENT HEADERS
-> Connection: Upgrade
-> Sec-WebSocket-Key: N2QyNjc1ODE4MDBhMGZkZg==
-> Sec-WebSocket-Version: 13
-> Upgrade: websocket
2024-01-18 10:10:24,734 INFO [DefaultDispatcher-worker-6] io.ktor.client.HttpClient - REQUEST <ws://localhost:40010/websocket> failed with exception: java.net.http.WebSocketHandshakeException

Can you please check that with a protocol analyzing tool, e.g., WireShark, to make sure?

I reported it meanwhile: https://youtrack.jetbrains.com/issue/KTOR-6665/Different-behaviour-between-WebSocket-clients-with-bearer-authorization