Skip to content

401 Unauthorized when following a redirect url on a personal OneDrive account and keeping the original request headers #1901

New issue
New issue
Open
Open
401 Unauthorized when following a redirect url on a personal OneDrive account and keeping the original request headers#1901
@Quiwin

Description

@Quiwin
Quiwin
opened on May 15, 2025

Category

  • Bug

Expected or Desired Behavior

Following a redirect from GET /drives/{drive-id}/items/{item-id}/content to download the file content should send back the file under a 200.

Observed Behavior

When the redirect url is under https://my.microsoftpersonalcontent.com/personal, a GET that keeps the initial Authorization header get a 401 unauthorized.

Details 
  class HTTPartyDebug
    include HTTParty
    debug_output
  end

  bearer_token = <>

  headers = {
    'Accept' => 'application/json',
    'Content-Type' => 'application/json',
    'Authorization' => "Bearer #{bearer_token}",
  }

  HTTPartyDebug.get(
    'https://graph.microsoft.com/v1.0/me/drive/items/<item_id>/content',
    headers: headers
  )
  # <- "GET /v1.0/me/drive/items/<item_id>/content HTTP/1.1\r\nAccept: application/json\r\nContent-Type: application/json\r\nAuthorization: Bearer <bearer_token>\r\nAccept-Encoding: gzip;q=1.0,deflate;q=0.6,identity;q=0.3\r\nUser-Agent: Ruby\r\nConnection: close\r\nHost: graph.microsoft.com\r\n\r\n"
  # -> "HTTP/1.1 302 Found\r\n"
  # -> "Cache-Control: max-age=0, private\r\n"
  # -> "Location: https://my.microsoftpersonalcontent.com/personal/[...]"
  # [...]
  #
  # <- "GET /personal/[...] HTTP/1.1\r\nAccept: application/json\r\nContent-Type: application/json\r\nAuthorization: Bearer <bearer_token>\r\nAccept-Encoding: gzip;q=1.0,deflate;q=0.6,identity;q=0.3\r\nUser-Agent: Ruby\r\nConnection: close\r\nHost: my.microsoftpersonalcontent.com\r\n\r\n"
  # -> "HTTP/1.1 401 Unauthorized\r\n"
  # -> "Cache-Control: private\r\n"
  # -> "Content-Length: 64\r\n"
  # -> "Content-Type: application/json\r\n"
  # -> "P3P: CP=\"ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI\"\r\n"
  # [...]
  # -> "{\"error\":{\"code\":\"unauthenticated\",\"message\":\"Unauthenticated\"}}"
  # read 64 bytes
  # Conn close
  #=> #<HTTParty::Response:0x64e60 parsed_response={"error"=>{"code"=>"unauthenticated", "message"=>"Unauthenticated"}},

Manually following the redirect while keeping the headers also causes a 401.

  redirect_url = "https://my.microsoftpersonalcontent.com/personal/[...]" # Extracted from previous output
  HTTPartyDebug.get(
    redirect_url,
    headers: headers
  )
  # [...]
  # -> "HTTP/1.1 401 Unauthorized\r\n"
  # -> "{\"error\":{\"code\":\"unauthenticated\",\"message\":\"Unauthenticated\"}}"

While following the redirect without the initial Authorization header is successful:

  res = HTTPartyDebug.get(
    redirect_url,
    headers: headers.except('Authorization')
  )
  res.code
  # 200

This is different from redirect_url on https://<pro_domain>.sharepoint.com/personal/<pro_domain>_onmicrosoft_com/... which are ok with or without Authorization headers.

This is an issue for http clients that autofollow redirects while keeping the original request headers.

Steps to reproduce

  • A GET /drives/{drive-id}/items/{item-id}/content on a personal OneDrive
  • Where we follow the redirect url with the original Authorization header

Some possible references:

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions