case sensitivity of Bearer http authentication scheme

[jogu]

It seems to be a common interoperability issue (and a source of some really great arguments as to who is wrong, e.g. fastify/fastify-bearer-auth#172 (comment) ) that some implementations treat the 'Bearer' http authentication scheme name as case sensitive.

As far as I can find, HTTP authentication schemes are case insensitive; in particular https://www.rfc-editor.org/rfc/rfc9110#name-authentication-scheme says:

It uses a case-insensitive token to identify the authentication scheme:

Regardless of whether my conclusion is correct, I think we should add a sentence to OAuth 2.1 that makes it clear if it is case sensitive or not.

[jogu]

I think people often get confused by https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-10#section-5.1.1 in particular:

credentials = "Bearer" 1*SP token68

so this might be a good place to add an additional sentence. (As per https://www.rfc-editor.org/rfc/rfc5234#section-2.3 I believe this is defining 'Bearer' as a case insensitive match.)

[aaronpk]

Should we update the abnf description to use lowercase too then just for good measure?

[jogu]

Good question and I don't really know if there's any precedent here. "Bearer" is the official name as per https://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml#authschemes but I'm not sure that matters.

[aaronpk]

As discussed in the May 14 interim:

Keep the examples with the capital B, and add a sentence clarifying that the scheme is case insensitive.