Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Bearer token constant does not match OAuth 2.0 spec

See original GitHub issue

Hi folks,

I just used your defined constant TOKEN_TYPE_BEARER = "bearer from AuthorizationResponse.java (same is also defined in TokenResponse.java) for setting my access token in my HTP header.

request
                                    .newBuilder()
                                    .addHeader(HttpHeaders.AUTHORIZATION,
                                            "${AuthorizationResponse.TOKEN_TYPE_BEARER} $accessToken")
                                    .build()

The problem is that "bearer" does not match the spec of https://tools.ietf.org/html/rfc6749#section-7.1 where the header value prefix bearer is defined with a capital letter "Bearer".

When updating the spring security dependency in my service implementation, the requests were rejected because the HTTP header value does not match he spec

I don’t know if you are using this constants in a different context and maybe they are actually not supposed to be used for setting HTTP header values.

If they are actually supposed to be reused, maybe some other uses can start struggling with this pitfall as well.

Kind regards Stefan

Issue Analytics

State:
Created 4 years ago
Reactions:2
Comments:7 (5 by maintainers)

Top GitHub Comments

1reaction

panvacommented, Jul 15, 2019

Nevertheless for the sake of interoperability which is the only thing that matters when there are no security implications

clients ought to be sending Bearer
resource servers should accept case insensitive matched schemes

1reaction

andifalkcommented, Jul 15, 2019

Because RFC6750 (bearer token usage) makes use of the Authorization header defined in RFC2617 which defines the scheme as case insensitive. Therefore spring security should match the scheme accordingly.

RFC examples are also not normative.

But RFC2617 is obsoleted by https://tools.ietf.org/html/rfc7617#section-1 and RFC7617 also states that “Note that both scheme and parameter names are matched case-insensitively.”. Also RFC6750 states that "Note that, as with Basic, it does not conform to the generic syntax defined in Section 1.2 of [RFC2617] ". You may also follow the current discussion in a corresponding issue in Spring Security https://github.com/spring-projects/spring-security/issues/6228

So currently with all the different specs it is quite unclear what this means for case-sensitity/case-insensitivity for bearer token header 😦

Top Results From Across the Web

JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens

This specification defines a profile for issuing OAuth 2.0 access tokens ... The original OAuth 2.0 Authorization Framework [RFC6749] specification does not ......

Solved: Re: Receiving a "redirect_uri_mismatch" error when...

I'm trying to use OAUTH 2.0 to authenticate/authorize. I'm testing on my local machine, where my application is running and accessible over HTTPS....

Microsoft identity platform access tokens

Access tokens are used by web APIs to perform authentication and authorization. Per the OAuth specification, access tokens are opaque strings ...

Why Mastercard Doesn't Use OAuth 2.0 | Blog

Mastercard will use the public key to authenticate the signature and bind an identity to the request. If someone alters the payload of...

oauth signature does not match in rest api - Stack Overflow

In my case, the issue was fixed by replacing 'http' with 'https' as I was forcing https ...