Skip to content

fix: made bearer token scheme case-insensitive for non-spec-compliant oidc providers#877

Open
wim07101993 wants to merge 4 commits into
mainfrom
fix/case-insensitive-bearer-scheme
Open

fix: made bearer token scheme case-insensitive for non-spec-compliant oidc providers#877
wim07101993 wants to merge 4 commits into
mainfrom
fix/case-insensitive-bearer-scheme

Conversation

@wim07101993
Copy link
Copy Markdown
Member

@wim07101993 wim07101993 commented Apr 23, 2026

Which Problems Are Solved

When a client requested userinfo with a lowercase authorization header (bearer instead of Bearer), the server would reject it because it is not compliant to the spec.

How the Problems Are Solved

  • made the bearer scheme check case-insensitive

Additional Changes

Additional Context

Copilot AI review requested due to automatic review settings April 23, 2026 06:42
@wim07101993 wim07101993 enabled auto-merge (squash) April 23, 2026 06:42
Copilot AI reviewed Apr 23, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the OP userinfo Authorization header parsing to accept a lowercase bearer scheme (case-insensitive), addressing interoperability with non-spec-compliant OIDC providers (closes #876).

Changes:

  • Adjusted bearer-scheme detection in getAccessToken to be case-insensitive.
  • Added a route test ensuring /userinfo succeeds with authorization: bearer <token>.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
pkg/op/userinfo.go Updates Authorization header parsing logic for bearer scheme matching.
pkg/op/server_http_routes_test.go Adds coverage for lowercase bearer Authorization scheme on userinfo route.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread pkg/op/userinfo.go Outdated
Comment thread pkg/op/server_http_routes_test.go Outdated
wim07101993 and others added 3 commits April 23, 2026 08:53
@wim07101993
Potential fix for pull request finding
7f1fc7c 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
@wim07101993
Potential fix for pull request finding
59338b1 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
@wim07101993
fix: use getter to get the type of the token to ensure correct format
649e04e
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Bug]: Normalize tokenType when calling Userinfo

2 participants

@wim07101993