According to RFC 2617 #1.2, the "Bearer" keyword should be case-insensitive #6150
Conversation
|
@nlebas Please sign the Contributor License Agreement! Click here to manually synchronize the status of this Pull Request. See the FAQ for frequently asked questions. |
|
@nlebas Thank you for signing the Contributor License Agreement! |
There was a problem hiding this comment.
Thanks for the PR, @nlebas! I left just one code comment, and would you also mind changing the commit message to follow what's in the contribution guidelines and also squash your commits when you are done?
| @@ -87,7 +89,7 @@ public void setAllowUriQueryParameter(boolean allowUriQueryParameter) { | |||
|
|
|||
| private static String resolveFromAuthorizationHeader(HttpServletRequest request) { | |||
| String authorization = request.getHeader(HttpHeaders.AUTHORIZATION); | |||
| if (StringUtils.hasText(authorization) && authorization.startsWith("Bearer")) { | |||
| if (StringUtils.hasText(authorization) && authorization.toLowerCase().startsWith("bearer")) { | |||
There was a problem hiding this comment.
It would be more efficient if we didn't lowercase the entire string just to compare the first few characters.
Could we instead do
| if (StringUtils.hasText(authorization) && authorization.toLowerCase().startsWith("bearer")) { | |
| if (StringUtils.startsWithIgnoreCase(authorization, "bearer")) { |
There was a problem hiding this comment.
Thanks! I've switched to StringUtils.startsWithIgnoreCase as suggested.
The Authorization header was matched for OAuth2 against the "Bearer" keyword in a case sensitive fashion. According to RFC 2617, it should be case insensitive and some oauth clients (including some earlier versions of spring-security) expect it so.
|
Thanks for the PR, @nlebas! This is now merged into |
jzheaux
added
type: enhancement
|
I don't think this should've been merged. First of all, It also states that Unless otherwise noted, all the protocol parameter names and values are case sensitive in section 1.1. Regarding To my understanding, the RFC 2617 uses case-insensitivity in terms of identifying auth scheme on the client, which isn't really a subject of Resource Server support. |
|
I'm also pretty sure that Google will reject a protected resource request if |
|
I'll acknowledge the formulation "Unless otherwise noted" creates some ambiguity, since "uses the framework defined in RFC2617" can be interpreted as "otherwise noted", or not. All auth-schemes are always Capitalized in all specs, and use the word "MUST"... Now from a practical perspective, I suggest the Bearer keyword should always be provided case-sensitive (capital B) by both servers and clients, but should be accepted as case insensitive, if only for backwards compatibility. My specific issue is that I have to deal with a client that uses spring-security-oauth2 prior to this fix: spring-attic/spring-security-oauth#1346 |
|
These are all valid points from @vpavic. I agree we cannot compare If you look at 2.1. Authorization Request Header Field
The key point is highlighted in bold. Although the generic syntax does state case-insensitivity for the auth-scheme, it seems the
|
|
I think the statement "Note that, as with Basic, it does not conform to the As to that, please note that the current implementation of DefaultBearerTokenResolver tolerates and ignores an eventual = sign. |
|
A similar change was recently made for Basic authentication: #5586 on the same grounds. I believe it is a reasonable interpretation that the case-insensitivity applies to the |
Although I feel @rwinch What are your thoughts on this? |
|
We've started seeing this become an issue as well. Happy to see there's been work done on this. The Cloud Foundry ecosystem is another place where the case insensitivity has existed in the past and we saw the change caused issues to show up, essential causing backwards compatibility issues for APIs that upgraded Spring Security or new APIs using the latest Spring Security. From what I've seen via quick Google search, this is definitely an interoperability issue that comes up a lot with many implementations also using lower case. My two-cents is that clients (the ones issuing calls using the Authorization header) should try and adhere to spec and user |
|
IMO the spec is the law - and the spec's quite explicit here. Why should a security based framework reasonably add default behavior that tolerates clients not adhering to the spec? There are two options:
With changes like this also take into account:
I used Google as an example that supports spec interpretation that it should be case-sensitive. I believe that anything outside of the spec doesn't belong in |
|
I do agree that the right way to get around all this is for clients to just use If you look at 2.1. Authorization Request Header Field
This appears to refer to HTTP-AUTH spec that reiterates the same scheme is insensitive line as RFC 2617:
The updated Basic authentication spec found at IANA's "Hypertext Transfer Protocol (HTTP) Authentication Scheme Registry" also explicitly calls out case insensitivity for
Another area where So I'm on the same page as @nlebas here in terms of spec ambiguity. |
|
@tnwang Thanks for your feedback here and for those further references. After further reading the spec references I do agree with you
I'm inclined to leave things as-is at this point. |
According to RFC 6750 item 3, the "WWW-Authenticate" header field uses the framework defined by HTTP/1.1 RFC2617.
There item 1.2 states that the auth-scheme (i.e, the "Bearer" keyword) is case insensitive.
Hope this helps,