Bearer token constant does not match OAuth 2.0 spec
See original GitHub issueHi folks,
I just used your defined constant TOKEN_TYPE_BEARER = "bearer
from AuthorizationResponse.java
(same is also defined in TokenResponse.java
) for setting my access token in my HTP header.
request
.newBuilder()
.addHeader(HttpHeaders.AUTHORIZATION,
"${AuthorizationResponse.TOKEN_TYPE_BEARER} $accessToken")
.build()
The problem is that "bearer"
does not match the spec of https://tools.ietf.org/html/rfc6749#section-7.1 where the header value prefix bearer is defined with a capital letter "Bearer"
.
When updating the spring security dependency in my service implementation, the requests were rejected because the HTTP header value does not match he spec
I don’t know if you are using this constants in a different context and maybe they are actually not supposed to be used for setting HTTP header values.
If they are actually supposed to be reused, maybe some other uses can start struggling with this pitfall as well.
Kind regards Stefan
Issue Analytics
- State:
- Created 4 years ago
- Reactions:2
- Comments:7 (5 by maintainers)
Top GitHub Comments
Nevertheless for the sake of interoperability which is the only thing that matters when there are no security implications
But RFC2617 is obsoleted by https://tools.ietf.org/html/rfc7617#section-1 and RFC7617 also states that “Note that both scheme and parameter names are matched case-insensitively.”. Also RFC6750 states that "Note that, as with Basic, it does not conform to the generic syntax defined in Section 1.2 of [RFC2617] ". You may also follow the current discussion in a corresponding issue in Spring Security https://github.com/spring-projects/spring-security/issues/6228
So currently with all the different specs it is quite unclear what this means for case-sensitity/case-insensitivity for bearer token header 😦