"Basic" authentication scheme name should be case insenstive

In [an issue in a client side OAuth2 framework (angular-oauth2-oidc)](https://github.com/manfredsteyer/angular-oauth2-oidc/issues/368) it was noted that Spring Security does a case sensitive comparison (I think, in [this line](https://github.com/spring-projects/spring-security/blob/5.0.6.RELEASE/web/src/main/java/org/springframework/security/web/authentication/www/BasicAuthenticationFilter.java#L157)) for the string `"Basic "`.

I'm unsure if I referred to the correct RFC, but in [RFC 7617 section 2](https://tools.ietf.org/html/rfc7617#section-2) it is noted that the scheme name should be matched case _insensitively_ (even though all examples use "Basic" as the spelling).

Just for reference (and to double check my hunch), IdentityServer4 (from the .NET ecosystem) [seems to do it case insensitively](https://github.com/IdentityServer/IdentityServer4/blob/2.2.0/src/IdentityServer4/Validation/BasicAuthenticationSecretParser.cs#L63).

Perhaps someone more knowledgeable than I can double check my thoughts, but if I'm right then I think it would be good to make the check ignore case in Spring Security too.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

"Basic" authentication scheme name should be case insenstive #5586

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

"Basic" authentication scheme name should be case insenstive #5586

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions