HTTP Authorization header not being passed to application

[Taeram]

I'm having issues with a PHP application which uses the HTTP Authorization header for authentication. From what I can tell, the application isn't getting the Authorization header.

To test this out, I created a Request Bin (http://requestb.in), and sent a test request to it: curl -H "Authorization: password" http://requestb.in/1jt21f01. The Request Bin showed that the Authorization header had been successfully received: https://i.imgur.com/eUWLLRW.png

I then created a PHP application on NFO which does a dump of all of the $_SERVER variables at http://auth-header-test.squanchy.site.nfoservers.com/, and sent it the same test request: curl -H "Authorization: password" http://auth-header-test.squanchy.site.nfoservers.com/. The test application showed that the Authorization header had not been received: https://i.imgur.com/p2b0ybV.png

If I mis-spell the Authorization header, it does show up: curl -H "Authorizations: password" http://auth-header-test.squanchy.site.nfoservers.com/ results in: http://i.imgur.com/EV2EF0Z.png

Is there a configuration setting somewhere that's blocking the Authorization header from being passed on to the PHP application?

[Edge100x]

We don't have a special configuration that would cause it to be stripped on our end. Googling this problem, PHP running in CGI mode might have the issue, but we don't run PHP in CGI mode.

You might test the workaround given here and see if it helps: https://devhacksandgoodies.wordpress.co ... orization/

[Taeram]

Fantastic, thanks! The solution you linked to did indeed fix the issue.

Adding the following to my .htaccess file ensured the Authorization header showed up in the $_SERVER array:

SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1