I know this was discussed in 2013, but worth revisting.
Could your endpoints be updated to accept lowercase bearer
on the authorization header, as well as Bearer
? At the moment they return a 400
“malformed” error.
However, the token endpoint returns lower case bearer
for token_type
, and many out of the box oauth libraries will use this value when making authenticated requests.
I’ve lost a few hours to debugging this issue, and now have to write some custom code over Next Auth
to authenticate requests properly.
There’s some good thinking here from Panva (OAuth expert) token_type received from /token endpoint is case sensitive · Issue #248 · panva/node-openid-client · GitHub
I think the Freeagent API should be able to accept bearer
without breaking any existing apps?