Stream: smart
Topic: Case in token_type
Michael Donnelly (Jan 16 2019 at 16:25):
In the JSON Epic returns from our oauth2/token endpoint, we have "token_type": "bearer"
Grahame noticed that this doesn't match the case in the SMART spec section 7.1.3, which requires it to be capitalized. So we can prioritize the fix, who will have trouble based on this? Are there any validators that will fail because of this?
Kevin Shekleton (Jan 16 2019 at 19:41):
@Michael Donnelly - you may want to check popular OSS libraries around this too. I did some informal searches across Github and found that there are lots of people comparing the token type irrespective of case (or lower casing both values before comparing). For instance, Spring's library does this. That's probably due to the reality of inconsistent Bearer vs bearer.
fyi, Bearer isn't something SMART defined. See corresponding uses of Bearer in OpenID Connect 3.1.33 and rfc6750 6.1.1
Michael Donnelly (Jan 17 2019 at 16:03):
Thanks @Kevin Shekleton
Grahame Grieve (Jan 18 2019 at 11:16):
I now perform case independent comparison. Maybe we should not this somewhere?
Michael Donnelly (Jan 22 2019 at 17:01):
Note that servers should do it as Bearer?
Josh Mandel (Jan 22 2019 at 17:28):
I think both are correct: servers should do "Bearer" and clients should be able to deal with "Bearer" as well as "bearer".
Last updated: Apr 12 2022 at 19:14 UTC
