diff --git a/include/freerdp/settings.h b/include/freerdp/settings.h
index bd3a72b8b..8691b8759 100644
--- a/include/freerdp/settings.h
+++ b/include/freerdp/settings.h
@@ -766,6 +766,7 @@ extern "C"
 #define FreeRDP_GatewayAcceptedCertLength (1999)
 #define FreeRDP_GatewayHttpUseWebsockets (2000)
 #define FreeRDP_GatewayHttpExtAuthSspiNtlm (2001)
+#define FreeRDP_GatewayHttpExtAuthBearer (2002)
 #define FreeRDP_ProxyType (2015)
 #define FreeRDP_ProxyHostname (2016)
 #define FreeRDP_ProxyPort (2017)
@@ -1340,7 +1341,8 @@ extern "C"
 		ALIGN64 UINT32 GatewayAcceptedCertLength; /* 1999 */
 		ALIGN64 BOOL GatewayHttpUseWebsockets;    /* 2000 */
 		ALIGN64 BOOL GatewayHttpExtAuthSspiNtlm;  /* 2001 */
-		UINT64 padding2015[2015 - 2002];          /* 2002 */
+		ALIGN64 char* GatewayHttpExtAuthBearer;   /* 2002 */
+		UINT64 padding2015[2015 - 2003];          /* 2003 */
 
 		/* Proxy */
 		ALIGN64 UINT32 ProxyType;        /* 2015 */
diff --git a/libfreerdp/common/settings_getters.c b/libfreerdp/common/settings_getters.c
index 0835b6f83..ad8eafbf5 100644
--- a/libfreerdp/common/settings_getters.c
+++ b/libfreerdp/common/settings_getters.c
@@ -2642,6 +2642,9 @@ const char* freerdp_settings_get_string(const rdpSettings* settings, size_t id)
 		case FreeRDP_GatewayUsername:
 			return settings->GatewayUsername;
 
+		case FreeRDP_GatewayHttpExtAuthBearer:
+			return settings->GatewayHttpExtAuthBearer;
+
 		case FreeRDP_HomePath:
 			return settings->HomePath;
 
@@ -2911,6 +2914,9 @@ char* freerdp_settings_get_string_writable(rdpSettings* settings, size_t id)
 		case FreeRDP_GatewayUsername:
 			return settings->GatewayUsername;
 
+		case FreeRDP_GatewayHttpExtAuthBearer:
+			return settings->GatewayHttpExtAuthBearer;
+
 		case FreeRDP_HomePath:
 			return settings->HomePath;
 
@@ -3189,6 +3195,9 @@ BOOL freerdp_settings_set_string_(rdpSettings* settings, size_t id, char* val, s
 		case FreeRDP_GatewayUsername:
 			return update_string_(&settings->GatewayUsername, cnv.c, len);
 
+		case FreeRDP_GatewayHttpExtAuthBearer:
+			return update_string_(&settings->GatewayHttpExtAuthBearer, cnv.c, len);
+
 		case FreeRDP_HomePath:
 			return update_string_(&settings->HomePath, cnv.c, len);
 
@@ -3483,6 +3492,9 @@ BOOL freerdp_settings_set_string_copy_(rdpSettings* settings, size_t id, const c
 		case FreeRDP_GatewayUsername:
 			return update_string_copy_(&settings->GatewayUsername, cnv.cc, len, cleanup);
 
+		case FreeRDP_GatewayHttpExtAuthBearer:
+			return update_string_copy_(&settings->GatewayHttpExtAuthBearer, cnv.cc, len, cleanup);
+
 		case FreeRDP_HomePath:
 			return update_string_copy_(&settings->HomePath, cnv.cc, len, cleanup);
 
diff --git a/libfreerdp/common/settings_str.c b/libfreerdp/common/settings_str.c
index 8e4a15ecf..c76aa79cf 100644
--- a/libfreerdp/common/settings_str.c
+++ b/libfreerdp/common/settings_str.c
@@ -106,6 +106,8 @@ static const struct settings_str_entry settings_map[] = {
 	{ FreeRDP_GatewayEnabled, FREERDP_SETTINGS_TYPE_BOOL, "FreeRDP_GatewayEnabled" },
 	{ FreeRDP_GatewayHttpExtAuthSspiNtlm, FREERDP_SETTINGS_TYPE_BOOL,
 	  "FreeRDP_GatewayHttpExtAuthSspiNtlm" },
+	{ FreeRDP_GatewayHttpExtAuthBearer, FREERDP_SETTINGS_TYPE_STRING,
+	  "FreeRDP_GatewayHttpExtAuthBearer" },
 	{ FreeRDP_GatewayHttpTransport, FREERDP_SETTINGS_TYPE_BOOL, "FreeRDP_GatewayHttpTransport" },
 	{ FreeRDP_GatewayHttpUseWebsockets, FREERDP_SETTINGS_TYPE_BOOL,
 	  "FreeRDP_GatewayHttpUseWebsockets" },
diff --git a/libfreerdp/core/gateway/rdg.c b/libfreerdp/core/gateway/rdg.c
index c8d2b75c2..67ff4a349 100644
--- a/libfreerdp/core/gateway/rdg.c
+++ b/libfreerdp/core/gateway/rdg.c
@@ -56,6 +56,7 @@
 #define HTTP_EXTENDED_AUTH_SC 0x1         /* Smart card authentication. */
 #define HTTP_EXTENDED_AUTH_PAA 0x02       /* Pluggable authentication. */
 #define HTTP_EXTENDED_AUTH_SSPI_NTLM 0x04 /* NTLM extended authentication. */
+#define HTTP_EXTENDED_AUTH_BEARER 0x08    /* HTTP Bearer authentication. */
 
 /* HTTP packet types. */
 #define PKT_TYPE_HANDSHAKE_REQUEST 0x1
@@ -1238,6 +1239,12 @@ static wStream* rdg_build_http_request(rdpRdg* rdg, const char* method,
 			goto out;
 	}
 
+	else if (rdg->extAuth == HTTP_EXTENDED_AUTH_BEARER)
+	{
+		http_request_set_auth_scheme(request, "Bearer");
+		http_request_set_auth_param(request, rdg->settings->GatewayHttpExtAuthBearer);
+	}
+
 	http_request_set_transfer_encoding(request, transferEncoding);
 
 	s = http_request_write(rdg->http, request);
@@ -1861,6 +1868,8 @@ static BOOL rdg_establish_data_connection(rdpRdg* rdg, rdpTls* tls, const char*
 		return FALSE;
 
 	WINPR_ASSERT(rpcFallback);
+	if (rdg->settings->GatewayHttpExtAuthBearer && rdg->extAuth == HTTP_EXTENDED_AUTH_NONE)
+		rdg->extAuth = HTTP_EXTENDED_AUTH_BEARER;
 	if (rdg->extAuth == HTTP_EXTENDED_AUTH_NONE)
 	{
 		if (!rdg_auth_init(rdg, tls, AUTH_PKG))