Uploaded image for project: '[Read Only] - CRISP'
  1. [Read Only] - CRISP
  2. CRISP-7

'Bearer' in Authorization header value to be case-sensitive option

    XMLWordPrintable

Details

    • Improvement
    • Status: Closed
    • Normal
    • Resolution: Fixed
    • 2.0.1
    • 2.1.0
    • None

    Description

      According to the specification [1], the header value for 'Authorization' must be case-insensitive.
      For example, the following two must not make a difference:

      Authorization: Bearer 15a75234561c0817461234579153203ebcd54321
      
      Authorization: bearer 15a75234561c0817461234579153203ebcd54321
      

      However, some servers do not understand if the second one bearer ... is used.
      By the way, some rest client framework uses the lower-cased bearer ... always for some reasons:

      Some servers such as WebDAM (https://webdam.com/)'s REST API (ref: https://www.damsuccess.com/hc/en-us/articles/202134055-REST-API) or Amazon REST API (ref: https://github.com/golang/oauth2/issues/113) does not take Authorization header correctly if the header value is lower-cased unfortunately.

      Strictly speaking, the server implementations were wrong and the rest client framework such as spring-security-oauth do not have a problem.
      However, practically, it's not easy to get those external servers fixed correctly in time.

      Therefore, I think it's better to provide a custom org.springframework.security.oauth2.client.DefaultOAuth2RequestAuthenticator class in CRISP API to correct the header value to Bearer ... all the time.

      [1] https://tools.ietf.org/html/rfc2617#section-1.2

      Attachments

        Issue Links

          Activity

            People

              wko Woonsan Ko
              wko Woonsan Ko
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: