HADOOP-8883 made this change to KerberosAuthenticator
OOZIE-1010. However, as Andrey Klochkov pointed out recently, this inadvertently made the if statement always false because it turns out that the JDK excludes some headers, including the "Authorization" one that we're checking (see discussion here). This means that it was always either calling doSpnegoSequence(token); or getFallBackAuthenticator().authenticate(url, token);, which is actually the old behavior that existed before HADOOP-8855 changed it in the first place.
In any case, I tried removing the "Authorization" check and Oozie still works with and without Kerberos; the NPE reported in
OOZIE-1010 has since been properly fixed due as a side effect for a similar issue in OOZIE-1368.