We should absolutely align with http. I believe this is already addressed in
the language and examples of OAuth 2.1, yes?
This would hardly be the first example of an AI powered tool creating extremely
fragile code, anyway. Coddling it won't help it get better.
- Justin
________________________________
From: Dick Hardt <dick.ha...@gmail.com>
Sent: Sunday, July 6, 2025 8:22 AM
To: oauth@ietf.org <oauth@ietf.org>
Subject: [OAUTH-WG] coding agents don't follow the spec for parsing
Authorization header
Hey
I was working with Claude on an MCP server which requires authorization, and it
generated this code,
const authHeader = request.headers.authorization
if (authHeader && authHeader.startsWith('Bearer ')) {
const token = authHeader.split(' ')[1]
which is likely based on patterns in the wild. In the OAuth 2.1 draft we are
making it clear that "Bearer" is case insensitive and that the separator can be
multiple spaces. A client sending
Authorization: bearer ey-access-token
would of course fail in this validation. Do we as a WG want to be aligned with
the HTTP spec, or align with what is widely deployed?
/Dick
_______________________________________________
OAuth mailing list -- oauth@ietf.org
To unsubscribe send an email to oauth-le...@ietf.org
