The curious case of missing Authorization header

I have been wasting time on a small issue adding Authorization header into HttpClient.

The code was plain and simple:

Specifically, I was writing a .NET Core console app, following this wiki page and trying to access However, I kept getting 401 Unauthorize response and response.RequestMessage.Headers was completely empty.

After having spent some time searching for solution on the Internet but to no avail, I opened Fiddler to see the actual HTTP requests. Turns out, this was what happened behind the scene:

There were actually 2 requests. The first one has the Authorization header and returns a 302 Found. Automatic redirection of HttpClient triggers the second request, and this one didn’t have any Authorization header.

Normally I can just stop there, accept that how things work in .NET and find a workaround. But since .NET Core is open source on GitHub, I decided to dig a bit deeper to understand the reason of this implementation. A quick search about redirection on the corefx repo in GitHub gave me the exact commit that I need: And voila, I could see the line in RedirectHandler.cs that causing the issue:

and I could also see the reason in SocketsHttpHandler.cs:


I finally solved my curious case, and I hope this post is useful to you. Feel free to leave me a comment and let me know if you have any suggestion on securely implement the redirection with Authorization header.