You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As mentionned by @arendjantetteroo in a precedent issue #23, Apache server will strip any Authorization header not in a valid HTTP BASIC AUTH format, causing the bundle to be useless in "header mode".
To work around the problem, 3 main approches exists :
Add rewrite rules to the VirtualHost (description here) : simple but needs server side intervention
Use the apache_request_headers php function to retrieve the original header (description here)
Inside a listener on the kernel.request event : fix the header bag but will be called on each request
For now I have documented the first solution, but it might not be the most DX-friendly. Adding the logic to extract the original header inside the AuthorizationHeaderTokenExtractor might be simpler for newcomers.
Does anybody have an opinion on this one ? Thanks !
The text was updated successfully, but these errors were encountered:
slashfan
changed the title
Handling authorization header with Apache
[DX] Better apache authorization header "bug" handling
Aug 12, 2014
Oops, just realized that the apache_request_headers function might only be available in a apache + mod_php configuration. I don't know if something similar is feasable in a apache + php-fpm context.
Basically, i would say that updating your .htaccess in your own project dir seems fine enough. If you use a virtualhost without .htaccess, then you are capable enough to add this to your virtualhost config.
Adding the listener is a nice approach, but only helps on apache mod-php and i would not want it to run on all other servers. So maybe just add a link to that listener for another approach to the docs, but leave it to the developer to pick one of the approaches.
Another, even easier solution in many cases is to simply add CGIPassAuth on to .htaccess. See Apache docs and StackOverflow. Worked for me, although I'm not using this bundle so your mileage may vary
As mentionned by @arendjantetteroo in a precedent issue #23, Apache server will strip any
Authorization header
not in a valid HTTP BASIC AUTH format, causing the bundle to be useless in "header mode".To work around the problem, 3 main approches exists :
apache_request_headers
php function to retrieve the original header (description here)For now I have documented the first solution, but it might not be the most DX-friendly. Adding the logic to extract the original header inside the AuthorizationHeaderTokenExtractor might be simpler for newcomers.
Does anybody have an opinion on this one ? Thanks !
The text was updated successfully, but these errors were encountered: