bc-pi
commented
3 months ago "BEARER" is perfectly legal https://www.rfc-editor.org/rfc/rfc9110.html#name-authentication-scheme
Closed srosenda closed 4 weeks ago
bc-pi
commented
3 months ago "BEARER" is perfectly legal https://www.rfc-editor.org/rfc/rfc9110.html#name-authentication-scheme
jogu
commented
3 months ago Agree with what Brian said. This has also been further clarified in OAuth 2.1: https://github.com/oauth-wg/oauth-v2-1/commit/673d7f0d501aef6cc1fd0bf38b2436d34d0af8cd
srosenda
commented
3 months ago You are correct, according to RFC9110 and the discussion in OAuth 2.1 repository OAuth implementations should accept the authentication scheme regardless of its character case.
Would it still be good to at least unify the OpenID4VCI examples to use the same spelling for the "Bearer" authentication scheme? There's also IANA HTTP Authentication Scheme registry that defines the "Bearer" scheme with capital initial letter which matches also the spelling in RFC6750. From robustness principle / Postel's law perspective clients creating requests could use the IANA spelling "Bearer" and servers processing them should accept spelling in any mixed case.
The prefix is spelled "BEARER" in some examples, when it should be spelled exactly as "Bearer". see RFC 6750, section 2.1. Authorization Request Header Field.