symfony: [HttpFoundation] Authorization header not available via headers()

In my case I had to add to virtual machine config in Apache: SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1 After this HTTP_AUTHORIZATION appeared in $_SERVER (with value Bearer Xxxx). Now I can get it’s value from $request->headers->get(‘Authorization’)

From the doc of LexikJwtAuthenticationBundle

Important note for Apache users

As stated in this link and this one, Apache server will strip any Authorization header not in a valid HTTP BASIC AUTH format.

If you intend to use the authorization header mode of this bundle (and you should), please add those rules to your VirtualHost configuration :

RewriteEngine On
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]

https://github.com/lexik/LexikJWTAuthenticationBundle/blob/master/Resources/doc/index.md

Shouldn’t this rather go somewhere here https://github.com/symfony/symfony/blob/9a90cde4ed72bb9226354ceeecc869ee9ebee493/src/Symfony/Component/HttpFoundation/ServerBag.php#L99?

adapted from https://stackoverflow.com/questions/40582161/how-to-properly-use-bearer-tokens

if (!isset($headers['AUTHORIZATION'])) {
    if (function_exists('apache_request_headers')) {
        $requestHeaders = apache_request_headers();
        $requestHeaders = array_combine(array_map('ucwords', array_keys($requestHeaders)), array_values($requestHeaders));
        if (isset($requestHeaders['Authorization'])) {
            $headers['AUTHORIZATION'] = trim($requestHeaders['Authorization']);
        }
    }
}

createFromGlobals is the only place that reads from globals

Got it. ServerBag ist responsible for undoing the PHP madness, createFromGlobals is responsible for obtaining global data.