Need to make authorization schemes case insensitive

[VimukthiRajapaksha]

Current Limitation

There appears to be a contradiction in the OAuth specifications regarding the case sensitivity of the "Bearer" scheme. While the examples in the Bearer Token Usage specification suggest the token type is case-sensitive as "Bearer," the same specification refers to the HTTP Authentication specification, which clearly states that the scheme is case-insensitive. This inconsistency has created confusion about the expected behavior. The OAuth Working Group has addressed this issue by including a note in the upcoming OAuth 2.1 specification, explicitly clarifying that the token type is case-insensitive. Additionally, the HTTP Semantics specification reaffirms that authentication scheme names are case-insensitive.

Suggested Improvement

Our current implementation treats authorization schemes as case-sensitive, which conflicts with the clarified specifications. To align with these standards and eliminate any ambiguity, we suggest modifying the implementation to treat the authorization schemes such as "Bearer" as case-insensitive. This change will ensure compliance and improve interoperability.

Version

No response