How to remove Authorization header on redirect on any Flutter/Dart http client
Looking at the Dio docs, it seems like this is intentional behaviour.
All headers added to the request will be added to the redirection request(s). However, any body send with the request will not be part of the redirection request(s).
https://api.flutter.dev/flutter/dart-io/HttpClientRequest/followRedirects.html
However, I understand (and agree!) that this is generally undesirable behaviour. My solution is to manually follow the redirects myself, which is not very nice but works in a pinch.
Response<String> response; try { response = await dio.get( url, options: Options( // Your headers here, which might be your auth headers headers: ..., // This is the key - avoid following redirects automatically and handle it ourselves followRedirects: false, ), ); } on DioError catch (e) { final initialResponse = e.response; // You can modify this to understand other kinds of redirects like 301 or 307 if (initialResponse != null && initialResponse.statusCode == 302) { response = await dio.get( initialResponse.headers.value("location")!, // We must get a location header if we got a redirect ), ); } else { // Rethrow here in all other cases throw e; } }