slap on the forehead... of course!

I've overseen this.. So I could summarize the lesson learned as:
the actual authentication ('Authorization' header) isn't accessible for the script, but once a user is logged in/authenticated, the 'Remote-User' header is set and this *is* part of the script's %ENV and thus accessible.