Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bearer in lowercase in authorization header #45

Closed
jngutteridge opened this issue Apr 12, 2018 · 3 comments
Closed

Bearer in lowercase in authorization header #45

jngutteridge opened this issue Apr 12, 2018 · 3 comments
Assignees
Labels
enhancement This issue/PR is an enhancement or new feature.

Comments

@jngutteridge
Copy link

Hi,

In keycloak.service.ts our team discovered that the lowercase "bearer" in the authorisation header causes issues with Spring Web. I appreciate this is a fussy thing to point out, and can be fixed on the back-end, but the stricter standard "Bearer" tends to be used throughout in the RFC:
https://tools.ietf.org/html/rfc6750#section-2.1
https://tools.ietf.org/html/rfc6750#section-6.1.1

This is the line concerned:
https://github.com/mauriciovigolo/keycloak-angular/blob/master/src/services/keycloak.service.ts#L328

I couldn't find any other discussion related to this in the issue tracker. Could this be taken into consideration, to change "bearer" to "Bearer"?

Many thanks

@mauriciovigolo mauriciovigolo added the enhancement This issue/PR is an enhancement or new feature. label Apr 12, 2018
@mauriciovigolo
Copy link
Owner

Hello @jngutteridge, Thanks for reporting!

Sure we can take this into consideration. What about changing the keycloak-angular code to leave this value dynamic? So any changes in the future can be done through configuration.

I thought to solve this issue by adding a new parameter to the KeycloakOptions interface. The default will be bearer or Bearer (I will check the standard), but you might change to whatever you need.

@jngutteridge
Copy link
Author

Hi @mauriciovigolo, thanks for your quick reply!

Having a dynamic value would be great. Your proposed solution would work well and enable alternative solutions to work, should there be any non-standard setups out there.

After a quick dig, it appears that despite the standard using "Bearer", HTTP headers are actually case-insensitive, so any compliant solution should manage with both:
https://stackoverflow.com/questions/5258977/are-http-headers-case-sensitive

There is a Spring Security issue with the problem addressed on there end:
spring-attic/spring-security-oauth#457

And another with reference to Facebook and Google only accepting "Bearer":
spring-attic/spring-security-oauth#354

Thanks again!

@mauriciovigolo
Copy link
Owner

Hi @jngutteridge,

New feature released on v. 1.3.0. Using the property KeycloakOptions#bearerPrefix you can now setup a custom bearer prefix.

Thanks for reporting!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement This issue/PR is an enhancement or new feature.
Projects
None yet
Development

No branches or pull requests

2 participants