When HttpClient is configured to follow redirects and receives an 303 response with a
Location header that includes userinfo, such as http://user:email@example.com/ the username and password are ignored.
The expected behaviour is that if the request to the target location (without credentials) responds with a 401, that HttpClient would use the userinfo credentials in the previous response Location header to authenticate and store the credentials in the execution context. This is the behaviour of most Web agents such as Chrome, Firefox, Safari, libcurl, and others.
HttpClient should still wait for the 401 response (by default) before sending the credentials as outlined in 1344:
Userinfo Credentials in URI Should Not Default to Preemptive Authentication