We have a service that redirects the user to an object in an S3 bucket. The authentication for that request is stored in the query portion of the URL.

I understand that the spec doesn't specify what is to be done with request headers in the case of a redirect, but implementations I've seen will strip the Authorization header when HTTP Basic is used.

What's interesting is that when we call our service through HTTP Basic authentication, it works fine. The client strips the Authorization header from the request and the file is delivered from S3.

But when we call our service using OAuth bearer tokens the Authorization header is left in for the redirect, causing S3 to return a 400 error response.

Is there a way for the server's redirect response to instruct the client to strip the Authorization header before accessing the response's Location header?