WWW-Authenticate response header issues when authenticating mobiles apps with oauth2 on apache + php5.6-fpm

I know php fpm isn't recommended but for old app compatibility I'm running owncloud with apache and php fpm.

When accessing /remote.php/webdav with php-fpm and without I get distinct results for WWW-Authenticate header, which fail to auth with mobile clients

With php5.6-fpm

curl -i -X GET https://.../remote.php/webdav
WWW-Authenticate: Basic realm="ownCloud", Bearer realm="ownCloud"

Without php5.6-fpm, with mod_php

curl -i -X GET https://.../remote.php/webdav
WWW-Authenticate: Basic realm="ownCloud"
WWW-Authenticate: Bearer realm="ownCloud"

The "only" difference is the presence or not of php5.6-fpm. I've read many things about auth header with fpm, but nothing about what I'm going through. Nothing about how header are managed.

I've found that


are responsible for call addHeader function which is defined on


Since the code method is the same, something misconfigured or misbehaving with my web server

Expected behaviour

Two WWW-Authenticate headers

Actual behaviour

One WWW-Authenticate header with content append

Server configuration

Operating system:
Ubuntu 14.04.5 LTS

Web server:
Apache/2.4.33 (Ubuntu)

mysqld Ver 5.5.54-1trusty for debian-linux-gnu on x86_64 ((Ubuntu), wsrep_25.20)
galera-3 25.3.23+1trusty

PHP version:
PHP 5.6.34-1+ubuntu14.04.1+deb.sury.org+1 (fpm-fcgi)

ownCloud version: (see ownCloud admin page)

Updated from an older ownCloud or fresh install:
Updated from 7, then from 9

Where did you install ownCloud from:
tar.gz from owncloud.org

The content of config/config.php:

    "system": {
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
         "allow_user_to_change_display_name": false,
        "appstoreenabled": false,
        "asset-pipeline.enabled": true,
        "custom_csp_policy": "default-src 'self'; script-src  'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; frame-src *; img-src 'self' blob: *; font-src *  'self' data:; media-src *",
        "datadirectory": "\/var\/www\/cncCloud\/data",
        "default_language": "pt_BR",
        "dbtype": "mysql",
        "dbname": "owncloud",
        "dbhost": "proxy-dev-01",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "dbtableprefix": "oc_",
        "enable_avatars": false,
        "forcessl": true,
        "has_internet_connection": false,
        "installed": true,
        "knowledgebaseenabled": false,
        "log_type": "syslog",
        "logfile": "",
        "loglevel": "0",
        "logtimezone": "America\/Recife",
        "lost_password_link": "disabled",
        "mail_from_address": "noreply",
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "587",
        "mail_smtpauth": true,
        "mail_smtpauthtype": "LOGIN",
        "mail_smtpmode": "smtp",
        "mail_smtpsecure": "ssl",
        "maintenance": false,
        "session_lifetime": "21600",
        "trashbin_retention_obligation": "30, auto",
        "memcached_servers": [
        "skeletondirectory": "",
        "updatechecker": false,
        "version": "",
        "versions_retention_obligation": "auto"

**List of activated apps:**

  - account_closure: 0.0.1
  - activity: 2.3.6
  - anolis_openstack: 0.0.1
  - comments: 0.3.0
  - configreport: 0.1.1
  - customgroups: 0.3.6
  - dav: 0.3.2
  - federatedfilesharing: 0.3.1
  - federation: 0.1.0
  - feedback: 1.1
  - files: 1.5.1
  - files_external: 0.7.1
  - files_pdfviewer: 0.8.2
  - files_restriction: 1.0.0
  - files_sharing: 0.10.1
  - files_texteditor: 2.2.1
  - files_trashbin: 0.9.1
  - files_versions: 1.3.0
  - files_videoplayer: 0.9.8
  - folder_uploader: 0.0.1
  - gallery: 16.0.2
  - interactive_tutorial: 1.0
  - notifications: 0.3.2
  - oauth2: 0.2.1
  - provisioning_api: 0.5.0
  - richdocuments: 2.0.5
  - systemtags: 0.3.0
  - templateeditor: 0.1
  - theme-edudrive: 1.0.0
  - updatenotification: 0.2.1
  - user_shib: 0.1

Are you using external storage, if yes which one:
yes, openstack swift

Are you using encryption: yes/no

Are you using an external user-backend, if yes which one:
Yes, Shibboleth

Do desktop and the web work properly?

Accordingly to apache docs as well as some RFCs, comma-separated values can be used to provide multiple values to the same header, so the header should be considered as valid and should be processed fine.
There might be a problem with the mobile clients

Maybe you could consider to update to the recent version 10.0.8 and try again? 10.0.4 looks quite outdated.

Yes, desktop and web work properly.

I do think is a problem with mobile, I'll investigate and maybe I can submit a bug fix

as @jvillafanez said a header with comma separated values is valid. so probably is a problem with mobile client. anyway, I'll upgrade my server

Hey @guimaluf, thanks a bunch for your detailed report! I've just been able to reproduce with the Android app. Apparently is the only one displaying this wrong behavior.

Will investigate further how the android-library handles this scenario and open an issue there. If you wanna take over from there you're more than welcome to contribute with a fix!

Thanks again!


Here we go: