It's not coming through, so I switched to HTTP_X_AUTHORIZATION.
You were right; I didn't read that quick start guide, so I understand now why this registry approach was implemented. But from my point of view I still think it would make more sense to try and extract these authorisation headers by default. Just to make sure there is one less point of failure. If the header isn't there, the value simply could have been empty, or it could be skipped at all.Anyways, I understand it's impossible to support all setups in the world. Just wanted to share in case other people are on the same path as we are :-)