Reverse authentication through web application firewall not working after update

Our owncloud instance is running behind a WAF (Sophos UTM). As an added layer of security we were using the reverse authentication feature of the firewall.
When upgrading the OS from debian 9 to 10, owncloud got upgraded from 9.1 to 10.3 as well.

Expected behaviour

The user logs in on the login page provided by the WAF. The login details are getting passed to the owncloud webserver via basic auth. Owncloud logs the user in and returns the requested page.

Actual behaviour

The user logs in on the login page provided by the WAF. The login details are getting passed to the webserver via basic auth. Owncloud ignores them and requests that the user logs in on the owncloud login page.

As a workaround we have disabled reverse authentication from the WAF.
Both are using the same LDAP server to validate the login details.

Server configuration

Operating system:
Debian 10 Buster

Web server:
Apache 2.4.38

MariaDB 10.3.18

PHP version:
PHP 7.2.25
Updated from 7.0 together with owncloud and the OS.

ownCloud version:

Updated from an older ownCloud or fresh install:
Updated from 9.1

Where did you install ownCloud from:
Initial installation (as far as I can tell) and upgrade has been done via APT.

Are you using encryption: yes/no
No. The WAF handles HTTPS.

Nothing that points to an authentication error in the owncloud and in the apache error log.
Only token refresh messages in owncloud.log.

Has there been an update that changed the way owncloud handles logins? I didnt find anything that could be connected to my issue in the changelogs.

Did ownCloud 9 support HTTP Basic Authentication for user authentication at some point?
I’m confused how this ever worked?

After looking through the documentation I’m wondering that as well. Maybe someone else is running a similar setup and can point me in the right direction.

Seems like we wont be using the reverse authentication for the owncloud user login anymore. Oh well.
Our theory is that an installed app had allowed basic auth on the user login, but after the update that no longer works. No clue which app that could have been though.