Details
-
Improvement
-
Status: Closed
-
Normal
-
Resolution: Fixed
-
2.0.1
-
None
Description
According to the specification [1], the header value for 'Authorization' must be case-insensitive.
For example, the following two must not make a difference:
Authorization: Bearer 15a75234561c0817461234579153203ebcd54321
Authorization: bearer 15a75234561c0817461234579153203ebcd54321
However, some servers do not understand if the second one bearer ... is used.
By the way, some rest client framework uses the lower-cased bearer ... always for some reasons:
- org.springframework.security.oauth2.client.DefaultOAuth2RequestAuthenticator
- https://github.com/golang/oauth2/issues/113
Some servers such as WebDAM (https://webdam.com/)'s REST API (ref: https://www.damsuccess.com/hc/en-us/articles/202134055-REST-API) or Amazon REST API (ref: https://github.com/golang/oauth2/issues/113) does not take Authorization header correctly if the header value is lower-cased unfortunately.
Strictly speaking, the server implementations were wrong and the rest client framework such as spring-security-oauth do not have a problem.
However, practically, it's not easy to get those external servers fixed correctly in time.
Therefore, I think it's better to provide a custom org.springframework.security.oauth2.client.DefaultOAuth2RequestAuthenticator class in CRISP API to correct the header value to Bearer ... all the time.