Bearer vs bearer on the OAuth API (Again)

I know this was discussed in 2013, but worth revisting.

Could your endpoints be updated to accept lowercase bearer on the authorization header, as well as Bearer? At the moment they return a 400 “malformed” error.

However, the token endpoint returns lower case bearer for token_type, and many out of the box oauth libraries will use this value when making authenticated requests.

I’ve lost a few hours to debugging this issue, and now have to write some custom code over Next Auth to authenticate requests properly.

There’s some good thinking here from Panva (OAuth expert) token_type received from /token endpoint is case sensitive · Issue #248 · panva/node-openid-client · GitHub

I think the Freeagent API should be able to accept bearer without breaking any existing apps?

Hi Jonathon, thanks for raising this. I’ll flag this up for review and pass over your feedback :+1: