Support for no rebuilding Authorization header on redirect

[j-adamczyk]

Is your feature request related to a problem?

As far as I can tell, aiohttp always rebuilds Authorization header on redirect and there is no easy way to turn this off. This is also a default behavior in requests library, but it supports overriding this.

Source: method ClientSession._request() in client.py in aiohttp module:

if url.origin() != parsed_url.origin():
    auth = None
    headers.pop(hdrs.AUTHORIZATION, None)

Some APIs, e.g. Cisco Meraki (point 6.) requires not rebuilding authorization header between redirects.

Describe the solution you'd like

Export this bit of code to a separate method, to enable trick similar to requests library: create class inheriting from ClientSession and override method with an empty one to keep authorization header.

For example:

class ClientSession:
    async def _request(...):
    # other code
    auth = self.rebuild_auth(auth, headers)

    def rebuild_auth(self, auth, headers):
        if url.origin() != parsed_url.origin():
            auth = None
            headers.pop(hdrs.AUTHORIZATION, None)
        
        return auth

Describe alternatives you've considered

Alternatively an argument could be added to the _request() method, e.g. rebuild_auth=True, and wrap the rebuilding code in if. However, this would lack the flexibility of inheritance, which allows e.g. for more sophisticated logic of rebuilding authorization headers.

Related component

Client

Additional context

No response

Code of Conduct

• I agree to follow the aio-libs Code of Conduct

[webknjaz]

Duplicate of #5783: It's fixed on master (#5848, will be available in aiohttp v4.0+) and the backport to 3.8 is with only the docs+tests update is #5850. v3.x stream won't support this because it may be a breaking change for some users.