On Thursday, September 28, 2017 at 11:24:48 AM UTC-4, Boyang Li wrote: > > Just a follow-up questions here: > > When I try to use the redirect function raise > HTTP(303,location=URL(...),**request.headers) to redirect to an external > app, > my external app cannot find the redirected authorization header by > accessing request.env.HTTP_AUTHORIZATION. >
Two problems. First, there is no request.headers, so presumably the above code generates an exception (resulting in a 500 response), not a 303 response. There is a response.headers, but it would not contain the "Authorization" header, as that is a *request* header. In any case, there would be no point in passing the "Authorization" header back as a *response* header -- what you really need is for the client to generate its next request using the "Authorization" header (which is the responsibility of the client). If the redirect URL was back to the same domain as the original request, the client (presumably a browser) would automatically re-send the original "Authorization" header. However, for security reasons, browsers will not send an "Authorization" header to a different domain. If the initial request is made via Ajax, you can write Javascript code to detect the 303 response and instead of following the redirect, simply make a new Ajax request to the other domain. Actually, if using Ajax, there would be no particular reason to even use a 303 response -- you can simply return a 200 response with a flag (in the headers or body) indicating the external app should be called next. Anthony -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
