In libraries that use SAML auth, attempting to download books from some distributors may result in a 401 error. For example, on NYU Library, "A Glass Half Full" by Sanjay Kathuria (or other books from ProQuest).

This happens because of an interaction between LSHTTPBearerTokenInterceptor and LSHTTPRedirectRequestInterceptor. When the request is made to the fulfillment URL in the CM, the app uses a bearer token to authenticate (because SAML). The CM responds with a URL and a bearer token to be used to download the book. LSHTTPBearerTokenInterceptor handles this response by making a copy of the request to the CM, and setting the bearer token and URL to those specified in the response:

https://github.com/NYPL-Simplified/Simplified-Android-HTTP/blob/2f905c473f3c0b9707c09adf74fe21bafeebb3de/org.librarysimplified.http.bearer_token/src/main/java/org/librarysimplified/http/bearer_token/internal/LSHTTPBearerTokenInterceptor.kt#L26-L34

Because this is a SAML authenticated library, the LSHTTPRedirectRequestInterceptor is active, to allow the downloader to inject cookies into requests. The modifier function supplied to that interceptor operates on the LSHTTPRequestProperties object attached to the request:

https://github.com/NYPL-Simplified/Simplified-Android-HTTP/blob/2f905c473f3c0b9707c09adf74fe21bafeebb3de/org.librarysimplified.http.vanilla/src/main/java/org/librarysimplified/http/vanilla/internal/LSHTTPRedirectRequestInterceptor.kt#L17-L22

That object still contains the bearer token from the original request to the CM, not the bearer token set by LSHTTPBearerTokenInterceptor from the response. So after LSHTTPRedirectRequestInterceptor runs, the request contains the bearer token intended for the CM, not the one for the download URL.