Hi - I have an proxy flow set up for OAuth authentication where Apigee is proxying for our internal identity store. The authorization code flow is working fine and the client, which is a confidential client, is successfully getting a valid authorization code. Since this is a confidential client, when attempting to exchange the auth code for an access token, the client provides an HTTP Authorization header containing it's Apigee client ID & secret which I expect Apigee to use to verify the client before sending the auth code downstream to our internal identity store. However Apigee is not finding the Authorization header in the proxy request object and thus everything is dying at that point.

I have an active trace on the wire going out from the client and can see the "Authorization Basic <blah>" header going down the wire. I've double and triple checked that the header itself is valid - if, for example, I fire the request at a different, non Apigee application that expecting basic auth, the app finds and decodes the header just fine (and of course it rejects it since the auth code Apigee credentials, not valid credentials for the app ... but that's irrelevant to the the point of the test). I've placed a javascript dump immediately after the proxy request arrives on Apigee and printed the value of context.proxyRequest.headers. The resulting array of header values contains this entry:

Authorization=org.mozilla.javascript.Undefined@0.

Which, I guess, means Apigee tried to find the auth header but couldn't? Or found it but couldn't decode it for some reason? Even tho I know it's being sent and is in fact valid? Can anyone give me some guidance in figuring out what's going on here?