Authorization: Bearer header is case sensitive for JWT

bdecoste commented 1 year ago

Gloo Edge Version

1.14.x (latest stable)

Kubernetes Version

None

Describe the bug

If I send "authorization: bearer TOKEN", then I get a Jwt is missing error. You need to send "Authorization: Bearer TOKEN" for the header to be processed.

This is against the http spec

Steps to reproduce the bug

Configure JWT e.g.

      jwt:
        providers:
          valid:
            audiences:
            - account
            claimsToHeaders:
            - claim: iss
              header: issuer
            - claim: sub
              header: subheader
            issuer: http://foo.com:8080/auth/realms/solo
            jwks:
              remote:
                cacheDuration: 3600s
                upstreamRef:
                  name: keycloak
                  namespace: gloo-system
                url: http://jwt.example.com/auth/realms/solo/protocol/openid-connect/certs
            keepToken: true
            tokenSource:
              headers:
              - header: access_token
              - header: Authorization
                prefix: Bearer
              - header: authorization
                prefix: bearer

Expected Behavior

Headers are case agnostic per the http spec

Additional Context

Workaround:

            tokenSource:
              headers:
              - header: access_token
              - header: Authorization
                prefix: Bearer
              - header: authorization
                prefix: bearer

bdecoste commented 1 year ago

https://github.com/solo-io/gloo-mesh-enterprise/issues/4894

ashutosh887 commented 1 year ago

Let me work on this @bdecoste Please assign

github-actions[bot] commented 4 months ago

This issue has been marked as stale because of no activity in the last 180 days. It will be closed in the next 180 days unless it is tagged "no stalebot" or other activity occurs.

solo-io / gloo