search

oauth-wg / oauth-v2-1

OAuth 2.1 is a consolidation of the core OAuth 2.0 specs
https://oauth.net/2.1/
Other
52 stars 27 forks source link

case sensitivity of Bearer http authentication scheme #166

Closed jogu closed 6 months ago

jogu commented 10 months ago

It seems to be a common interoperability issue (and a source of some really great arguments as to who is wrong, e.g. https://github.com/fastify/fastify-bearer-auth/pull/172#issuecomment-1903321866 ) that some implementations treat the 'Bearer' http authentication scheme name as case sensitive.

As far as I can find, HTTP authentication schemes are case insensitive; in particular https://www.rfc-editor.org/rfc/rfc9110#name-authentication-scheme says:

It uses a case-insensitive token to identify the authentication scheme:

Regardless of whether my conclusion is correct, I think we should add a sentence to OAuth 2.1 that makes it clear if it is case sensitive or not.

jogu commented 10 months ago

I think people often get confused by https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-10#section-5.1.1 in particular:

credentials = "Bearer" 1*SP token68

so this might be a good place to add an additional sentence. (As per https://www.rfc-editor.org/rfc/rfc5234#section-2.3 I believe this is defining 'Bearer' as a case insensitive match.)

aaronpk commented 6 months ago

Should we update the abnf description to use lowercase too then just for good measure?

jogu commented 6 months ago

Good question and I don't really know if there's any precedent here. "Bearer" is the official name as per https://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml#authschemes but I'm not sure that matters.

aaronpk commented 6 months ago

As discussed in the May 14 interim:

Keep the examples with the capital B, and add a sentence clarifying that the scheme is case insensitive.