In 1.0.0, the functions isValidIDPNewTokensResponse and isValidIDPRefreshTokenResponse check if the token_type in an IDP response exactly matches (case-sensitive) Bearer, whereas in version 0.5.3 this field was checked case-insensitively here. This appears to be breaking our auth flows on the new version because ADFS returns the value as bearer (lowercase "b").
time="2024/05/10 14:48:12" level=debug msg="handling callback request" x-request-id="c772af90-0000-49a8-8a22-2b0c63d719f2" scope="authz" type="oidc" session-id="PEmFYiEPCYQImdc7OBLFhzOYgi7EmrzF3vysCSa9fLjXcknnYl8aimyK2HedRVJq"
time="2024/05/10 14:48:12" level=debug msg="getting authorization state" x-request-id="c772af90-0000-49a8-8a22-2b0c63d719f2" scope="session" type="memory" session-id="PEmFYiEPCYQImdc7OBLFhzOYgi7EmrzF3vysCSa9fLjXcknnYl8aimyK2HedRVJq"
time="2024/05/10 14:48:12" level=info msg="performing request to retrieve new tokens" x-request-id="c772af90-0000-49a8-8a22-2b0c63d719f2" scope="authz" type="oidc" session-id="PEmFYiEPCYQImdc7OBLFhzOYgi7EmrzF3vysCSa9fLjXcknnYl8aimyK2HedRVJq"
time="2024/05/10 14:48:12" level=info msg="token type is not Bearer in token response" x-request-id="c772af90-0000-49a8-8a22-2b0c63d719f2" scope="authz" type="oidc" session-id="PEmFYiEPCYQImdc7OBLFhzOYgi7EmrzF3vysCSa9fLjXcknnYl8aimyK2HedRVJq" token-type="bearer"
time="2024/05/10 14:48:12" level=debug msg="process result" x-request-id="c772af90-0000-49a8-8a22-2b0c63d719f2" scope="authz" type="oidc" session-id="PEmFYiEPCYQImdc7OBLFhzOYgi7EmrzF3vysCSa9fLjXcknnYl8aimyK2HedRVJq" allow=false status="InvalidArgument"
In 1.0.0, the functions isValidIDPNewTokensResponse and isValidIDPRefreshTokenResponse check if the token_type in an IDP response exactly matches (case-sensitive)
Bearer, whereas in version 0.5.3 this field was checked case-insensitively here. This appears to be breaking our auth flows on the new version because ADFS returns the value asbearer(lowercase "b").From RFC-6749:
So it appears the old behavior of case-insensitive validation was correct.