Just a quick one, you’ve been coding up your REST api, and are trying to use a Bearer authorization token (as obtained from an OAuth2 handshake), and it’s just not working.

If you send your access token as a GET or POST value things work fine however.

You point your head at httpbin.org and to see what your client is sending, and low and behold, the bearer token is present and correct.

You scratch your head and dump the contents of $_SERVER to a log, and to your surprise, nothing. No Authorization header is present!

To save you many a frustrating hour, here’s the answer. Turns out that Apache will strip any authorisation header it doesn’t recognise, which is basically anything that’s not basic auth.

So, you need to put it back in yourself. Do so by putting the following into your .htaccess

So, another quick one.

I had the need to test something out in Known around OAuth2 “sign in as” buttons, so I put together a very quick, and generic, client for it.

This is very early days and was really written to implement an MVP proof of concept thingy for a client of mine. However, it could be more widely useful and with a bit of work could be handy for folk.


  • Check it out
  • Run composer install to get the various libraries
  • Put it in your IdnoPlugins directory as OAuth2Client
  • Activate in your plugins


Go to the admin page and create your new buttons by filling in the appropriate details.

Out of the box this plugin WON’T fully log you in as whatever, you need to write your own handler plugin to listen to the oauth2/authorised event hook.

This hook is passed an array containing the access token and other details for your to use to match up with a user, or create a new one.

If the hook goes unanswered, the plugin will look for id or username in the return JSON.

» Visit the project on Github...

Just a quick one, as I was doing some stuff for a client, I gave the Known OAuth2 server a bit of a tweak.

First things first, I updated the admin interface so that it shows the endpoint urls needed (doh).

Second, I added support for an owner context url.

Third, the access token can now be passed using an Bearer authorisation header. Since this is now the new hotness, and it’s probably more reliable than passing stuff on a get variable.

Anyway, happy Saturday.