Hey
I was working with Claude on an MCP server which requires authorization,
and it generated this code,
const authHeader = request.headers.authorization
if (authHeader && authHeader.startsWith('Bearer ')) {
const token = authHeader.split(' ')[1]
which is likely based on patterns in the wild. In the OAuth 2.1 draft we
are making it clear that "Bearer" is case insensitive and that the
separator can be multiple spaces. A client sending
Authorization: bearer ey-access-token
would of course fail in this validation. Do we as a WG want to be aligned
with the HTTP spec, or align with what is widely deployed?
/Dick
_______________________________________________
OAuth mailing list -- [email protected]
To unsubscribe send an email to [email protected]
