Skip to content

Make Authorization header auth-scheme case-insensitive #48406

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
alimmirk wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Make Authorization header auth-scheme case-insensitive #48406

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
f724cde
Fix #48387: Make Authorization header auth-scheme case-insensitive
alimmirk Apr 23, 2026
3e38dca
Merge branch 'main' into fix-auth-scheme-case-insensitivity
alimmirk Apr 23, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion services/src/main/java/org/keycloak/protocol/oidc/endpoints/TokenRevocationEndpoint.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -195,7 +195,7 @@ private void checkToken() {
throw new CorsErrorResponseException(cors, OAuthErrorException.INVALID_TOKEN, "Invalid token", Response.Status.OK);
}

if (!(TokenUtil.TOKEN_TYPE_REFRESH.equals(token.getType()) || TokenUtil.TOKEN_TYPE_OFFLINE.equals(token.getType()) || TokenUtil.TOKEN_TYPE_BEARER.equals(token.getType())|| TokenUtil.TOKEN_TYPE_DPOP.equals(token.getType()))) {
if (!(TokenUtil.TOKEN_TYPE_REFRESH.equals(token.getType()) || TokenUtil.TOKEN_TYPE_OFFLINE.equals(token.getType()) || TokenUtil.TOKEN_TYPE_BEARER.equalsIgnoreCase(token.getType())|| TokenUtil.TOKEN_TYPE_DPOP.equalsIgnoreCase(token.getType()))) {
event.detail(Details.REASON, "Unsupported token type");
event.error(Errors.INVALID_TOKEN_TYPE);
throw new CorsErrorResponseException(cors, OAuthErrorException.UNSUPPORTED_TOKEN_TYPE, "Unsupported token type",
Expand Down
2 changes: 1 addition & 1 deletion ...main/java/org/keycloak/services/clientpolicy/condition/ClientUpdaterContextCondition.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -125,7 +125,7 @@ private boolean isRegistrationAccessToken(JsonWebToken jwt) {
}

private boolean isBearerToken(JsonWebToken jwt) {
return jwt != null && TokenUtil.TOKEN_TYPE_BEARER.equals(jwt.getType());
return jwt != null && TokenUtil.TOKEN_TYPE_BEARER.equalsIgnoreCase(jwt.getType());
}

}
2 changes: 1 addition & 1 deletion services/src/main/java/org/keycloak/services/clientregistration/ClientRegistrationAuth.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -120,7 +120,7 @@ public AccessToken getJwt() {
}

private boolean isBearerToken() {
return jwt != null && TokenUtil.TOKEN_TYPE_BEARER.equals(jwt.getType());
return jwt != null && TokenUtil.TOKEN_TYPE_BEARER.equalsIgnoreCase(jwt.getType());
}

public boolean isInitialAccessToken() {
Expand Down
3 changes: 1 addition & 2 deletions services/src/main/java/org/keycloak/services/managers/AppAuthManager.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -78,8 +78,7 @@ private static AuthHeader extractTokenStringFromAuthHeader(String authHeader) {
return null;
}
} else {
// "Bearer" is case-insensitive for historical reasons. "DPoP" is case-sensitive to follow the spec.
if (!isBearerHeader && !typeString.equals(TokenUtil.TOKEN_TYPE_DPOP)) {
if (!isBearerHeader && !typeString.equalsIgnoreCase(TokenUtil.TOKEN_TYPE_DPOP)) {
return null;
}
}
Expand Down
2 changes: 1 addition & 1 deletion services/src/main/java/org/keycloak/services/util/DPoPUtil.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -242,7 +242,7 @@ public static TokenVerifier<AccessToken> withDPoPVerifier(TokenVerifier<AccessTo
boolean isSchemeDPoP = false;
if (StringUtil.isNotBlank(validator.authHeader)) {
String[] split = WHITESPACES.split(validator.authHeader);
isSchemeDPoP = TokenUtil.TOKEN_TYPE_DPOP.equals(split[0]);
isSchemeDPoP = TokenUtil.TOKEN_TYPE_DPOP.equalsIgnoreCase(split[0]);
}

if (!isSchemeDPoP && DPoPUtil.DPOP_TOKEN_TYPE.equals(token.getType())) {
Expand Down