diff --git a/VERSION b/VERSION
index a53ac2f..d80825a 100644
--- a/VERSION
+++ b/VERSION
@@ -5,6 +5,6 @@
 # tags with and without build number so operators use the versioned
 # tag but we always keep a timestamped tag in case a semantic tag gets
 # replaced accidentally
-VER=0.2.2
+VER=0.2.3
 TAGS="${VER} ${VER}-$(date -u +"%Y%m%dT%H%M%S")"
 unset VER
diff --git a/src/main/java/org/opencadc/scienceportal/SciencePortalAuthAction.java b/src/main/java/org/opencadc/scienceportal/SciencePortalAuthAction.java
index da69924..0f17624 100644
--- a/src/main/java/org/opencadc/scienceportal/SciencePortalAuthAction.java
+++ b/src/main/java/org/opencadc/scienceportal/SciencePortalAuthAction.java
@@ -75,6 +75,7 @@
 import ca.nrc.cadc.rest.InlineContentHandler;
 import ca.nrc.cadc.rest.RestAction;
 import ca.nrc.cadc.util.StringUtil;
+import java.net.URL;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.opencadc.token.Client;
@@ -104,23 +105,23 @@ protected Client getOIDCClient() throws IOException {
         return this.applicationConfiguration.getOIDCClient();
     }
 
-    protected Subject getCurrentSubject() throws Exception {
+    protected Subject getCurrentSubject(final URL targetURL) throws Exception {
         final String rawCookieHeader = this.syncInput.getHeader("cookie");
         final Subject subject = AuthenticationUtil.getCurrentSubject();
 
         if (StringUtil.hasText(rawCookieHeader)) {
             final String[] firstPartyCookies =
-                    Arrays.stream(rawCookieHeader.split(";"))
-                          .map(String::trim)
-                          .filter(cookieString -> cookieString.startsWith(
-                                  ApplicationConfiguration.FIRST_PARTY_COOKIE_NAME))
-                          .toArray(String[]::new);
+                Arrays.stream(rawCookieHeader.split(";"))
+                      .map(String::trim)
+                      .filter(cookieString -> cookieString.startsWith(
+                          ApplicationConfiguration.FIRST_PARTY_COOKIE_NAME))
+                      .toArray(String[]::new);
 
             if (firstPartyCookies.length > 0 && applicationConfiguration.isOIDCConfigured()) {
                 for (final String cookie : firstPartyCookies) {
                     // Only split on the first "=" symbol, and trim any wrapping double quotes
                     final String encryptedCookieValue =
-                            cookie.split("=", 2)[1].replaceAll("\"", "");
+                        cookie.split("=", 2)[1].replaceAll("\"", "");
 
                     try {
                         final String accessToken = getOIDCClient().getAccessToken(encryptedCookieValue);
@@ -128,10 +129,8 @@ protected Subject getCurrentSubject() throws Exception {
                         subject.getPrincipals().add(new AuthorizationTokenPrincipal(AuthenticationUtil.AUTHORIZATION_HEADER,
                                                                                     AuthenticationUtil.CHALLENGE_TYPE_BEARER
                                                                                     + " " + accessToken));
-                        subject.getPublicCredentials().add(
-                                new AuthorizationToken(AuthenticationUtil.CHALLENGE_TYPE_BEARER, accessToken,
-                                                       Collections.singletonList(
-                                                               URI.create(syncInput.getRequestURI()).getHost())));
+                        subject.getPublicCredentials().add(new AuthorizationToken(AuthenticationUtil.CHALLENGE_TYPE_BEARER, accessToken,
+                                                                                  Collections.singletonList(targetURL.getHost())));
                     } catch (NoSuchElementException noTokenForKeyInCacheException) {
                         LOGGER.warn("Cookie found and decrypted but no value in cache.  Ignoring cookie...");
                     }
diff --git a/src/main/java/org/opencadc/scienceportal/SciencePortalAuthGetAction.java b/src/main/java/org/opencadc/scienceportal/SciencePortalAuthGetAction.java
index a9ca1c6..454f970 100644
--- a/src/main/java/org/opencadc/scienceportal/SciencePortalAuthGetAction.java
+++ b/src/main/java/org/opencadc/scienceportal/SciencePortalAuthGetAction.java
@@ -91,7 +91,7 @@ public abstract class SciencePortalAuthGetAction extends SciencePortalAuthAction
     @Override
     public void doAction() throws Exception {
         final URL apiURL = getAPIURL();
-        final Subject subject = getCurrentSubject();
+        final Subject subject = getCurrentSubject(apiURL);
         final String apiEndpoint = String.format("%s%s", apiURL.toExternalForm(), getEndpoint());
         final URL apiEndpointURL = new URL(apiEndpoint);
         final String query;
diff --git a/src/main/java/org/opencadc/scienceportal/session/DeleteAction.java b/src/main/java/org/opencadc/scienceportal/session/DeleteAction.java
index bc67367..62e4b0a 100644
--- a/src/main/java/org/opencadc/scienceportal/session/DeleteAction.java
+++ b/src/main/java/org/opencadc/scienceportal/session/DeleteAction.java
@@ -87,7 +87,7 @@ public void doAction() throws Exception {
         final URL apiURL = new URL(getAPIURL().toExternalForm()
                                    + syncInput.getRequestPath().substring(syncInput.getContextPath().length()));
 
-        final Subject authenticatedUser = getCurrentSubject();
+        final Subject authenticatedUser = getCurrentSubject(apiURL);
 
         Subject.doAs(authenticatedUser, (PrivilegedExceptionAction<?>) () -> {
             final HttpDelete httpDelete = new HttpDelete(apiURL, true);
diff --git a/src/main/java/org/opencadc/scienceportal/session/PostAction.java b/src/main/java/org/opencadc/scienceportal/session/PostAction.java
index 740633d..b4a928d 100644
--- a/src/main/java/org/opencadc/scienceportal/session/PostAction.java
+++ b/src/main/java/org/opencadc/scienceportal/session/PostAction.java
@@ -93,8 +93,7 @@ public class PostAction extends SciencePortalAuthAction {
     @Override
     public void doAction() throws Exception {
         final URL apiURL = new URL(getAPIURL().toExternalForm() + PostAction.SESSION_ENDPOINT);
-
-        final Subject authenticatedUser = getCurrentSubject();
+        final Subject authenticatedUser = getCurrentSubject(apiURL);
         final Map<String, Object> payload = new HashMap<>();
         payload.putAll(syncInput.getParameterNames().stream().collect(
                 Collectors.toMap(key -> key, key -> syncInput.getParameter(key))));
diff --git a/src/main/java/org/opencadc/scienceportal/userinfo/GetAction.java b/src/main/java/org/opencadc/scienceportal/userinfo/GetAction.java
index 534eb5a..a8fc10e 100644
--- a/src/main/java/org/opencadc/scienceportal/userinfo/GetAction.java
+++ b/src/main/java/org/opencadc/scienceportal/userinfo/GetAction.java
@@ -90,12 +90,10 @@
 public class GetAction extends SciencePortalAuthAction {
     @Override
     public void doAction() throws Exception {
-        final Subject subjectFromCookie = getCurrentSubject();
+        final URL sessionsURL = getSessionsURL();
+        final Subject subjectFromCookie = getCurrentSubject(sessionsURL);
         Subject.doAs(subjectFromCookie, (PrivilegedExceptionAction<?>) () -> {
-            final URL sessionsURL;
-
             try {
-                sessionsURL = getSessionsURL();
                 final HttpGet sessionAccessCheck = new HttpGet(sessionsURL, true);
                 sessionAccessCheck.run();