Token type is case sensitive

I’ve implemented a work around so this isn’t a huge issue, however it seems like the standard is that the bearer token type should be case insensitive according to the author of the library I’m using. So I thought I’d post about it.

Looks like someone else ran into the issue too {"error":"Unauthorized","status":401,"message":"OAuth token is missing"}

The token_type field is case insensitive, so Twitch could send Bearer, bearer, BEARER, BeArEr and all of those would be valid.

The Authorization Header IS case sensitive though, and both the specifications for the the Bearer token scheme and all Twitch examples/guides show the header using Bearer .

Oh sorry, I meant in the authorization header. Do you think openid-client’s author is wrong about the rfc specification?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.