FOSOAuthServerBundle, Authorization header doesn't work but access_token in query works

Question

I'm using the authorization_code grant type. I've already created a client, the auth_code and then created access and refresh tokens, all successfully. Now I try to use the access_token and here comes the problem. If I put it as a request/query parameter access_token=123456789, it works perfectly, I get the requested resource.

But I've read that it's actually better to embed it in the Authorization header for security reasons. I'm trying this and doesn't work:

Authorization: Bearer 123456789

also tried:

Authorization: 123456789

and nothing works. All I get is:

{
    "error": "access_denied",
    "error_description": "OAuth2 authentication required"
}

Any ideas? If I'm using SSL in both server and client, can I safely use parameters instead of headers?

Answer 1

Well, I found a solution myself. This could actually be considered a "duplicated" question, but I didn't know it until now. Trying to trace the error, I found that the Authorization header was completely missing in the Symfony profiler (luckily, Symfony sends in the response the profiler URL related to each request). So I searched "symfony missing authorization header" (or something similar, can't remember) and found this:

Request headers bag is missing Authorization header in Symfony 2?

It was mezod's answer the one that worked the best for me. I just put it in Apache's virtual host configuration file and reloaded Apache service. Now it works. No need to put it as 'access_token' request parameter. Authorization header for the win. And by the way, the only thing that worked now was: Authorization: Bearer 123456789

Yes, with capital B in Bearer. Every other combination (non-capital, OAuth instead of Bearer, only the token itself) failed miserably.

In case someone can't access that link, the thing is to put this in your virtual host configuration file (haven't tried in .htaccess myself yet):

RewriteEngine On
RewriteCond %{HTTP:Authorization} .+
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

So that's it. I really really hope it helps someone at least half of what it did for me.