Collabora sends both access_token and Authorization header to wopi backend for CheckFileInfo

Hello,

During our integration of Collabora Online into our app, we have encountered a strange issue. After submitting the form with WOPISrc URL and access_token (WOPISrc in URL, access_token through form, just like in sample applications) to the editor URL retrieved from discovery XML, the editor fails to load, complaining it can’t read the file.
From the logs, we found out that when trying to retrieve CheckFileInfo URL, Collabora sends both access_token parameter and Authorzation: Bearer header with the same value as the access_token to the backend server. This confuses the Spring application running in the backend since it treats both the header and the access_token parameter as authentication tokens.

Is this behavior normal ? Is there any way to disable it ? We could adapt our backend application to ignore the Authorization header (or the access_token) but I wanted to know whether it is possible to fix without altering the code.

Collabora version is 23.05.10.1 (git baa6eef)
Spring application with custom WOPI backend.

Do you happen to use access_header parameter in your cool.html file (or elsewhere like in your form) ?
The Permission header should not be present if you omit it.

https://sdk.collaboraonline.com/docs/How_to_integrate.html?highlight=access_header#authentication

access_token is the only supported way, so you should ignore any Authorization header sent.

No, only access_token is used.

Our backend dev did exactly that and configured the system to ignore the authorization header and this has fixed the issue.
But still, it would be nice to avoid having to implement such workarounds as they make code harder to maintain.