php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Doc Bug #72915 *Only* basic and digest authentication supported
Submitted: 2016-08-21 21:02 UTC Modified: 2021-11-02 17:22 UTC
Votes:9
Avg. Score:4.2 ± 0.9
Reproduced:8 of 8 (100.0%)
Same Version:2 (25.0%)
Same OS:2 (25.0%)
From: cpuidle at gmx dot de Assigned: cmb (profile)
Status: Closed Package: *Web Server problem
PHP Version: 7.0.10 OS: OSX
Private report: No CVE-ID: None
 [2016-08-21 21:02 UTC] cpuidle at gmx dot de
Description:
------------
echo $_SERVER['HTTP_AUTHORIZATION']

Test script:
---------------
curl --header "Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE0NzE4MDMwNjYsImV4cCI6MTQ3MTg4OTQ2Niwic3ViIjoidXNlciJ9.1JSvKan_gh5nV6wsLBbmZ0KrO9NKhHX7ktcmzxgtMHM" http://localhost/test.php

Expected result:
----------------
Show authorization header

Actual result:
--------------
$_SERVER['HTTP_AUTHORIZATION'] not present

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-08-26 07:17 UTC] cpuidle at gmx dot de
-Summary: HTTP_AUTORIZATION header missing when php module is used +Summary: HTTP_AUTORIZATION header missing for Bearer Auth when using apache module
 [2016-08-26 07:17 UTC] cpuidle at gmx dot de
To be clear: the $_SERVER['HTTP_AUTHORIZATION'] variable is empty while apache_request_headers() shows that the Authorization header is indeed present. 

It doesn't seem to get picked up by PHP, but why?
 [2016-08-26 07:34 UTC] cpuidle at gmx dot de
Looking at https://github.com/php/php-src/blob/9fc0a5e049ade8082b2b9a45687ac8cbd694f731/main/main.c#L2615 it seems that PHP _only_ supports Basic and Digest authorization and nothing else.
 [2021-11-02 17:22 UTC] cmb@php.net
-Summary: HTTP_AUTORIZATION header missing for Bearer Auth when using apache module +Summary: *Only* basic and digest authentication supported -Status: Open +Status: Verified -Type: Bug +Type: Documentation Problem -Package: Apache2 related +Package: *Web Server problem -Assigned To: +Assigned To: cmb
 [2021-11-02 17:22 UTC] cmb@php.net
> […] it seems that PHP _only_ supports Basic and Digest
> authorization and nothing else.

Right; regardless of the SAPI.  The manual, apparently a bit
outdated, claims[1]:

| Both "Basic" and "Digest" authentication methods are supported.

Use the oauth extension for bearer authentication (or a PHP
library, or roll your own :).

[1] <https://www.php.net/manual/en/features.http-auth.php>
 [2021-11-02 17:27 UTC] git@php.net
Automatic comment on behalf of cmb69
Revision: https://github.com/php/doc-en/commit/2d1981cc3003cd94f5fb88e0473eed2c5b26efde
Log: Fix #72915: *Only* basic and digest authentication supported
 [2021-11-02 17:27 UTC] git@php.net
-Status: Verified +Status: Closed
 [2021-11-03 09:59 UTC] git@php.net
Automatic comment on behalf of sy-records (author) and web-flow (committer)
Revision: https://github.com/php/doc-zh/commit/8576a1ea3a5eb1a14fac35b28a8eff2fd0faba21
Log: Fix #72915: *Only* basic and digest authentication supported (#108)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Mar 19 11:01:28 2024 UTC