Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authorization token prefix "Bearer" is misspelled in some examples #371

Open
srosenda opened this issue Aug 6, 2024 · 3 comments · May be fixed by #372
Open

Authorization token prefix "Bearer" is misspelled in some examples #371

srosenda opened this issue Aug 6, 2024 · 3 comments · May be fixed by #372

Comments

@srosenda
Copy link

srosenda commented Aug 6, 2024

The prefix is spelled "BEARER" in some examples, when it should be spelled exactly as "Bearer". see RFC 6750, section 2.1. Authorization Request Header Field.
@srosenda srosenda linked a pull request Aug 6, 2024 that will close this issue
Open
@bc-pi
Copy link
Member

bc-pi commented Aug 6, 2024

"BEARER" is perfectly legal https://www.rfc-editor.org/rfc/rfc9110.html#name-authentication-scheme

@jogu
Copy link
Contributor

jogu commented Aug 6, 2024

Agree with what Brian said. This has also been further clarified in OAuth 2.1: oauth-wg/oauth-v2-1@673d7f0

bc-pi referenced this issue in oauth-wg/oauth-v2-1 Aug 6, 2024
@aaronpk
Explicitly mention that Bearer is case insensitive
673d7f0 
closes #166
@srosenda
Copy link
Author

srosenda commented Aug 7, 2024

You are correct, according to RFC9110 and the discussion in OAuth 2.1 repository OAuth implementations should accept the authentication scheme regardless of its character case.

Would it still be good to at least unify the OpenID4VCI examples to use the same spelling for the "Bearer" authentication scheme? There's also IANA HTTP Authentication Scheme registry that defines the "Bearer" scheme with capital initial letter which matches also the spelling in RFC6750. From robustness principle / Postel's law perspective clients creating requests could use the IANA spelling "Bearer" and servers processing them should accept spelling in any mixed case.

@srosenda srosenda mentioned this issue Aug 7, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix authorization token Bearer prefix spelling in examples vrk-kpa/openid-OpenID4VCI
3 participants
@jogu @srosenda @bc-pi