Authorization header missing in django rest_framework, is apache to blame?

Solution 1:

If you are using Apache and mod_wsgi, then I found the easy solution to this in the official Django REST framework website

Apache mod_wsgi specific configuration

Note that if deploying to Apache using mod_wsgi, the authorization header is not passed through to a WSGI application by default, as it is assumed that authentication will be handled by Apache, rather than at an application level.

If you are deploying to Apache, and using any non-session based authentication, you will need to explicitly configure mod_wsgi to pass the required headers through to the application. This can be done by specifying the WSGIPassAuthorization directive in the appropriate context and setting it to 'On'.

# this can go in either server config, virtual host, directory or .htaccess 
WSGIPassAuthorization On

Solution 2:

Sorry to answer my own question minutes after asking it. But it turns out it was apache2 after all! After crawling the webs and looking through a few search results I found this in a comment:

RewriteEngine on
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]

Adding the above lines to my conf file seemed to solve all of my problems! Hopefully this helps users down the road!

Solution 3:

It depends on which kind of Django/Apache deployment you did. You need to tell the correct Apache module to allow to pass "Authentication" HTTP header:

  • Apache/mod_wsgi:

    WSGIPassAuthorization On

  • Apache/mod_fcgid:

    FcgidPassHeader Authorization

In other words: many Apache modules filters "Authentication" HTTP header, so Django will not receive it. You have to be sure your Django App is receiving it in request.

See: django_rest doc and Apache fcgid doc.

NOTE: After modifying Apache configuration you'll need to restart apache daemon or tell to reload your .cgi file (i.e: touch my_site_fcgifile.fcgi).