Closed Uzlopak closed 9 months ago
Uzlopak
commented
9 months ago @climba03003 @mcollina @jsumners
I applied the requested change by @climba03003 . I personally dont know why rfc6749 is case insensitive but rfc6750 is case sensitive. I feel a little bit "blind" now after reading multiple times in these rfcs. But I trust your assessment. ;).
Uzlopak
commented
9 months ago Happy new year, lol
jogu
commented
8 months ago Could you please clarify where you think RFC6750 says the HTTP authentication scheme name should be treated case sensitively?
I cannot find this stated.
I know that people do often look at this section https://www.rfc-editor.org/rfc/rfc6750#section-2.1 where it says:
credentials = "Bearer" 1*SP b64token
and assume this means case sensitive, however as per the document that defines this ABNF syntax, https://www.rfc-editor.org/rfc/rfc5234#section-2.3 (see screenshot below), this is defining "Bearer" to be case insensitive:
The underlying spec that defines HTTP authentication (which is what RFC6750 builds upon), https://www.rfc-editor.org/rfc/rfc9110#name-authentication-scheme states:
"It uses a case-insensitive token to identify the authentication scheme:”)
climba03003
commented
8 months ago @jogu
Look's like you are correct as it is using the ABNF syntax.
It is really a problem in the interpretation of specification requires such a deep knowledge and dig through.
According to the issue linked from this PR and all the reference inside. Seems like we are not the only one who interpret it wrongly and agreed on it is case-sensitive. What a disaster.
jogu
commented
8 months ago Yeah, definitely. As I said in https://github.com/oauth-wg/oauth-v2-1/issues/166 I hope this can be clarified in the upcoming 2.1 revision of the OAuth specification so that it's not such a big issue in the future.
Resolves #169
Checklist
npm run testandnpm run benchmark