Currently the bearerToken() method used in the TokenGuard requires the auth-scheme, "Bearer", to be capitalized as it uses the strrpos method to locate the position of the string "Bearer".
While this has been a point of contention and discussion among many groups, the upcoming OAuth 2.1 specification clarifies that the string "Bearer" should be case insensitive.
The fix is simple, replace the use of strrpos with the case insensitive version strripos.
This would allow Laravel to validate both "Bearer" and "bearer" and "bEaReR" for the auth schema as defined in the draft OAuth 2.1 specifications.
More background and discussion can be viewed in this blog article from Auth0/Okta.
Currently the bearerToken() method used in the TokenGuard requires the auth-scheme, "Bearer", to be capitalized as it uses the strrpos method to locate the position of the string "Bearer".
While this has been a point of contention and discussion among many groups, the upcoming OAuth 2.1 specification clarifies that the string "Bearer" should be case insensitive.
The fix is simple, replace the use of strrpos with the case insensitive version strripos.
This would allow Laravel to validate both "Bearer" and "bearer" and "bEaReR" for the auth schema as defined in the draft OAuth 2.1 specifications.
More background and discussion can be viewed in this blog article from Auth0/Okta.