According to the specification , the header value for 'Authorization' must be case-insensitive.
For example, the following two must not make a difference:
However, some servers do not understand if the second one bearer ... is used.
By the way, some rest client framework uses the lower-cased bearer ... always for some reasons:
Some servers such as WebDAM (https://webdam.com/)'s REST API (ref: https://www.damsuccess.com/hc/en-us/articles/202134055-REST-API) or Amazon REST API (ref: https://github.com/golang/oauth2/issues/113) does not take Authorization header correctly if the header value is lower-cased unfortunately.
Strictly speaking, the server implementations were wrong and the rest client framework such as spring-security-oauth do not have a problem.
However, practically, it's not easy to get those external servers fixed correctly in time.
Therefore, I think it's better to provide a custom org.springframework.security.oauth2.client.DefaultOAuth2RequestAuthenticator class in CRISP API to correct the header value to Bearer ... all the time.