Apache strips down "Authorization" header

Question

I'm having a little issue with my Apache 2.2.15 Server. I'm running a Django app on top of it with mod_wsgi. I activated WSGIPassAuthorization On, which made the Basic auth working well. But I recently implemented OAuth2.0 to secure my API (Implicit Grant), and I think Apache won't let it pass since it is of the form "Authorization: Bearer token". The "Bearer" is the issue I guess, though I don't know how to avoid that.

I tried :

RewriteEngine On
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]

In the httpd.conf, .htaccess (after setting AllowOverride All), and in my vhost. Nothing to do, doesn't work. I've crawled the Internet all day long, and didn't find anything but those two solutions.

Thank you in advance !

EDIT:

OS : RedHatEL6.4
Apache : 2.2.15
Django: 1.6.6 w/ django-oauth-toolkit
Python: 2.7.8

Answer 1

I solved my problem, which finally was totally unrelated to my Apache configuration. So if you found this topic looking for an answer to the same problem, one of the solutions below should fix it :

Config WSGI :

WSGIPAssAuthorization On

Config .htaccess :

RewriteEngine On
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]

You can put both of those into your httpd/conf.d/project.conf file !

Answer 2

Several modules will strip the Authorization header to try to enhance security by preventing scripts from seeing usernames, passwords, etc... unless the developer explicitly enables this. Many of these modules will allow this header if you simply add the following line to .htaccess: CGIPassAuth on (source: Apache docs and StackOverflow)