On 6 Jul 2025, at 13:22, Dick Hardt <dick.ha...@gmail.com> wrote:
>
> Hey
>
> I was working with Claude on an MCP server which requires authorization, and
> it generated this code,
> const authHeader = request.headers.authorization
> if (authHeader && authHeader.startsWith('Bearer ')) {
> const token = authHeader.split(' ')[1]
>
> which is likely based on patterns in the wild. In the OAuth 2.1 draft we are
> making it clear that "Bearer" is case insensitive and that the separator can
> be multiple spaces. A client sending
>
> Authorization: bearer ey-access-token
>
> would of course fail in this validation. Do we as a WG want to be aligned
> with the HTTP spec, or align with what is widely deployed?
I don’t think we can change the case-insensitivity of the auth scheme, but we
can certainly RECOMMEND that clients send “Bearer ” with exactly 1 space and
title-case. *Lot’s* of code does the same thing as that Javascript, including
(mea culpa) the example code in my own book! GitHub in fact finds *hundreds of
thousands* of similar cases, so I think the ship may have sailed:
https://github.com/search?q=startsWith%28%22Bearer+%22%29&type=code
— Neil
_______________________________________________
OAuth mailing list -- oauth@ietf.org
To unsubscribe send an email to oauth-le...@ietf.org
