I was working on a project with a customer that was using a slimmed down version of OAuth 2.0 where in the HTTP headers containing an Authorization Token.
I know that most HTTP headers are available as environment variables (or using HTTP_<headername> as the environment variable to retrieve custom headers), but this was not. A quick search brought me to this Stack Overflow question which explains that Apache strips out the Authentication header, but also giving a workaround.
Knowing that Apache on the IBM i isn't always the same as other versions, I decided to give it a whirl anyhow.
The first thing I did was add the following line to my httpd.conf file for the web server in question:
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
The next step, to make sure that the Apache server wouldn't puke on this new configuration was to restart my Apache server instance. I did, and what do you know, it worked (or at least it didn't crash telling me that the SetEnvIf directive was invalid)
My next step was to test, so I wrote a simple program named HDRTEST using the eRPG SDK that looks like the following:
H DFTACTGRP(*NO) BNDDIR('ERPGSDK')
****************************************************************
* Prototypes *
****************************************************************
/COPY QCOPYSRC,P.ERPGSDK
/COPY QCOPYSRC,P.HTTPSTD
****************************************************************
* Data read in from web page
D header S 1024 Varying
*
* Work Variables
D headerValue S 1024 Varying
****************************************************************
#startup();
#writeTemplate('stdhtmlheader.erpg');
#loadTemplate('hdrtest.erpg');
header = #getData('header');
headerValue = #getEnv('HTTP_' + %trim(header));
#replaceData('/%header%/':header);
#replaceData('/%value%/':headerValue);
#writeSection();
#cleanup();
*INLR = *on;
The template (hdrtest.erpg) used is VERY simple and looks like this:
/%header%/ = /%value%/
Next, I used GETURI to make a request with a custom Authorization header:
GETURI URI('bvstools.com/cgi-bin/hdrtest') DATA('header=AUTHORIZATION')
PORT(443) USRHDR((Authorization 'Bearer x8x8x8x9x9x9x9x9x9x'))
SSL(*YES)
To my joy the proper information was returned:
HTTP/1.1 200 OK
Date: Tue, 18 Jul 2017 15:55:51 GMT
Server: Apache
Content-Length: 42
Connection: close
Content-Type: text/html;
charset=ISO-8859-1
AUTHORIZATION = Bearer x8x8x8x9x9x9x9x9x9x
So, again with just some simple RPG you are able to work with the rest of the world as OAuth and OAuth types of authentication become more popular.