I use the Laravel framework, which makes use of symfony/http-foundation.

We developed an API, and recently moved to using a Shibboleth IdP. When we send through our header to Laravel, Authorization: Bearer 123456..... it was being stripped and replaced with Authorization: Basic 123456......

I couldn't determine why it was being stripped. After hours of thinking it was my own code, I finally tracked it down to line 89 of symfony/http-foundation/ServerBag.php:

// PHP_AUTH_USER/PHP_AUTH_PW
if (isset($headers['PHP_AUTH_USER'])) {
    $headers['AUTHORIZATION'] = 'Basic '.base64_encode($headers['PHP_AUTH_USER'].':'.$headers['PHP_AUTH_PW']);
} elseif (isset($headers['PHP_AUTH_DIGEST'])) {
    $headers['AUTHORIZATION'] = $headers['PHP_AUTH_DIGEST'];
}

It seems that this is assuming that if PHP_AUTH_USER is set, that it is Basic authentication. However, the Apache module mod_shib uses PHP_AUTH_USER when a user is logged in using the IdP.

Should this be instead something like this?

// PHP_AUTH_USER/PHP_AUTH_PW
if (isset($headers['PHP_AUTH_USER'])) {
    if (isset($headers['AUTH_TYPE']) && $headers['AUTH_TYPE'] == 'Basic') {
        $headers['AUTHORIZATION'] = 'Basic '.base64_encode($headers['PHP_AUTH_USER'].':'.$headers['PHP_AUTH_PW']);
    }
} elseif (isset($headers['PHP_AUTH_DIGEST'])) {
    $headers['AUTHORIZATION'] = $headers['PHP_AUTH_DIGEST'];
}