cs3org · enriquepablo · Nov 20, 2025
diff --git a/docs/request-options.rst b/docs/request-options.rst
@@ -131,7 +131,9 @@ auth
 :Summary: Pass an array of HTTP authentication parameters to use with the
         request. The array must contain the username in index [0], the password in
         index [1], and you can optionally provide a built-in authentication type in
-        index [2]. Pass ``null`` to disable authentication for a request.
+        index [2]. In the case of ``bearer`` authentication, the token will be in
+        index [0], and index [1] contains the empty string.
+        Pass ``null`` to disable authentication for a request.
 :Types:
         - array
         - string
@@ -180,6 +182,20 @@ ntlm
 
     This is currently only supported when using the cURL handler.
 
+bearer
+    Use `Bearer authentication <https://datatracker.ietf.org/doc/html/rfc6750>`_
+    (must be supported by the HTTP handler).
+
+.. code-block:: php
+
+    $client->request('GET', '/get', [
+        'auth' => ['token', '', 'bearer']
+    ]);
+
+.. note::
+
+    This is currently only supported when using the cURL handler.
+
 
 body
 ----

diff --git a/src/Client.php b/src/Client.php
@@ -416,6 +416,10 @@ private function applyOptions(RequestInterface $request, array &$options): Reque
                     $options['curl'][\CURLOPT_HTTPAUTH] = \CURLAUTH_NTLM;
                     $options['curl'][\CURLOPT_USERPWD] = "$value[0]:$value[1]";
                     break;
+                case 'bearer':
+                    $options['curl'][\CURLOPT_HTTPAUTH] = \CURLAUTH_BEARER;
+                    $options['curl'][\CURLOPT_XOAUTH2_BEARER] = $value[0];
+                    break;
             }
         }
 

diff --git a/src/Handler/StreamHandler.php b/src/Handler/StreamHandler.php
@@ -324,6 +324,11 @@ private function createStream(RequestInterface $request, array $options)
             throw new \InvalidArgumentException('Microsoft NTLM authentication only supported with curl handler');
         }
 
+        // Bearer authentication only supported with curl handler
+        if (isset($options['auth'][2]) && 'bearer' === $options['auth'][2]) {
+            throw new \InvalidArgumentException('Bearer authentication only supported with curl handler');
+        }
+
         $uri = $this->resolveHost($request, $options);
 
         $contextResource = $this->createResource(

diff --git a/src/RedirectMiddleware.php b/src/RedirectMiddleware.php
@@ -92,7 +92,8 @@ public function checkRedirect(RequestInterface $request, array $options, Respons
         if (Psr7\UriComparator::isCrossOrigin($request->getUri(), $nextRequest->getUri()) && defined('\CURLOPT_HTTPAUTH')) {
             unset(
                 $options['curl'][\CURLOPT_HTTPAUTH],
-                $options['curl'][\CURLOPT_USERPWD]
+                $options['curl'][\CURLOPT_USERPWD],
+                $options['curl'][\CURLOPT_XOAUTH2_BEARER]
             );
         }
 

diff --git a/tests/ClientTest.php b/tests/ClientTest.php
@@ -403,6 +403,18 @@ public function testAuthCanBeArrayForDigestAuth()
         ], $last['curl']);
     }
 
+    public function testAuthCanBeArrayForBearerAuth()
+    {
+        $mock = new MockHandler([new Response()]);
+        $client = new Client(['handler' => $mock]);
+        $client->get('http://foo.com', ['auth' => ['a', '', 'bearer']]);
+        $last = $mock->getLastOptions();
+        self::assertSame([
+            \CURLOPT_HTTPAUTH => 64,
+            \CURLOPT_XOAUTH2_BEARER => 'a',
+        ], $last['curl']);
+    }
+
     public function testAuthCanBeArrayForNtlmAuth()
     {
         $mock = new MockHandler([new Response()]);

diff --git a/tests/RedirectMiddlewareTest.php b/tests/RedirectMiddlewareTest.php
@@ -275,6 +275,7 @@ public function testInvokesOnRedirectForRedirects()
     /**
      * @testWith ["digest"]
      *           ["ntlm"]
+     *           ["bearer"]
      */
     public function testRemoveCurlAuthorizationOptionsOnRedirectCrossHost($auth)
     {
@@ -293,6 +294,10 @@ static function (RequestInterface $request, $options) {
                     isset($options['curl'][\CURLOPT_USERPWD]),
                     'curl options still contain CURLOPT_USERPWD entry'
                 );
+                self::assertFalse(
+                    isset($options['curl'][\CURLOPT_XOAUTH2_BEARER]),
+                    'curl options still contain CURLOPT_XOAUTH2_BEARER entry'
+                );
 
                 return new Response(200);
             },
@@ -305,6 +310,7 @@ static function (RequestInterface $request, $options) {
     /**
      * @testWith ["digest"]
      *           ["ntlm"]
+     *           ["bearer"]
      */
     public function testRemoveCurlAuthorizationOptionsOnRedirectCrossPort($auth)
     {
@@ -323,6 +329,10 @@ static function (RequestInterface $request, $options) {
                     isset($options['curl'][\CURLOPT_USERPWD]),
                     'curl options still contain CURLOPT_USERPWD entry'
                 );
+                self::assertFalse(
+                    isset($options['curl'][\CURLOPT_XOAUTH2_BEARER]),
+                    'curl options still contain CURLOPT_XOAUTH2_BEARER entry'
+                );
 
                 return new Response(200);
             },
@@ -335,6 +345,7 @@ static function (RequestInterface $request, $options) {
     /**
      * @testWith ["digest"]
      *           ["ntlm"]
+     *           ["bearer"]
      */
     public function testRemoveCurlAuthorizationOptionsOnRedirectCrossScheme($auth)
     {
@@ -353,6 +364,10 @@ static function (RequestInterface $request, $options) {
                     isset($options['curl'][\CURLOPT_USERPWD]),
                     'curl options still contain CURLOPT_USERPWD entry'
                 );
+                self::assertFalse(
+                    isset($options['curl'][\CURLOPT_XOAUTH2_BEARER]),
+                    'curl options still contain CURLOPT_XOAUTH2_BEARER entry'
+                );
 
                 return new Response(200);
             },
@@ -365,6 +380,7 @@ static function (RequestInterface $request, $options) {
     /**
      * @testWith ["digest"]
      *           ["ntlm"]
+     *           ["bearer"]
      */
     public function testRemoveCurlAuthorizationOptionsOnRedirectCrossSchemeSamePort($auth)
     {
@@ -383,6 +399,10 @@ static function (RequestInterface $request, $options) {
                     isset($options['curl'][\CURLOPT_USERPWD]),
                     'curl options still contain CURLOPT_USERPWD entry'
                 );
+                self::assertFalse(
+                    isset($options['curl'][\CURLOPT_XOAUTH2_BEARER]),
+                    'curl options still contain CURLOPT_XOAUTH2_BEARER entry'
+                );
 
                 return new Response(200);
             },
@@ -422,6 +442,32 @@ static function (RequestInterface $request, $options) {
         $client->get('http://example.com?a=b', ['auth' => ['testuser', 'testpass', $auth]]);
     }
 
+    /**
+     * @testWith ["bearer"]
+     *
+     */
+    public function testNotRemoveCurlBearerAuthorizationOptionsOnRedirect($auth)
+    {
+        if (!defined('\CURLOPT_HTTPAUTH') || !defined('\CURLOPT_XOAUTH2_BEARER')) {
+            self::markTestSkipped('ext-curl is required for this test');
+        }
+
+        $mock = new MockHandler([
+            new Response(302, ['Location' => 'http://example.com/2']),
+            static function (RequestInterface $request, $options) {
+                self::assertTrue(
+                    isset($options['curl'][\CURLOPT_XOAUTH2_BEARER]),
+                    'curl options still contain CURLOPT_XOAUTH2_BEARER entry'
+                );
+
+                return new Response(200);
+            },
+        ]);
+        $handler = HandlerStack::create($mock);
+        $client = new Client(['handler' => $handler]);
+        $client->get('http://example.com?a=b', ['auth' => ['testuser', 'testpass', $auth]]);
+    }
+
     public static function crossOriginRedirectProvider()
     {
         return [