IETF Logo Mail Archive

[OAUTH-WG] coding agents don't follow the spec for parsing Authorization header

Dick Hardt <dick.hardt@gmail.com> Sun, 06 July 2025 12:23 UTC

Return-Path: <dick.hardt@gmail.com>
X-Original-To: oauth@mail2.ietf.org
Delivered-To: oauth@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id C2DE43F104E5 for <oauth@mail2.ietf.org>; Sun, 6 Jul 2025 05:23:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -0.698
X-Spam-Level:
X-Spam-Status: No, score=-0.698 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 49RErcpUKMXC for <oauth@mail2.ietf.org>; Sun, 6 Jul 2025 05:23:13 -0700 (PDT)
Received: from mail-yb1-xb30.google.com (mail-yb1-xb30.google.com [IPv6:2607:f8b0:4864:20::b30]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 7D1553F104D9 for <oauth@ietf.org>; Sun, 6 Jul 2025 05:23:13 -0700 (PDT)
Received: by mail-yb1-xb30.google.com with SMTP id 3f1490d57ef6-e85e06a7f63so1846381276.1 for <oauth@ietf.org>; Sun, 06 Jul 2025 05:23:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1751804593; x=1752409393; darn=ietf.org; h=to:subject:message-id:date:from:reply-to:mime-version:from:to:cc :subject:date:message-id:reply-to; bh=tky15p0pcsiltkorUwUf7vAXSHeQn/sBa2ceBpM8Zp8=; b=MzZjxqcf0VFbmC1l13Ef+1qElseeRugayCZ76FI02vC7ie/5PT/cGLzS4U3QxU6+Jr F1ETNz6PBnogC38CuoqYvnQ4X1bzTrYSgdU/EIBF/E2SW3KaRDJsjJ/9UdwUmh0SYfIo KbJgf7v3kPACtU2gSAolwNPxqvRFomQ02O82/gt4AI1s0xcLW5WVxeZ6Adw8t16rgccR yruxhikGFbscoyep7d9j9XJ4kUMYu0CsaUESCCvhKt0DmW5S2V+hKjUhR9YOeLHHQ4fj husPccj9rlW2rQJljwduPs8oRxqAZeV7MP5zGu1Dkn2vd5AQBewHXtzkEVrWqqSKGeD8 Laqg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1751804593; x=1752409393; h=to:subject:message-id:date:from:reply-to:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=tky15p0pcsiltkorUwUf7vAXSHeQn/sBa2ceBpM8Zp8=; b=JtxaXgv5ryuTA12Sqm/yq3JoV7JDK6d1sA5VW83vFaTmH3daqRFZzST4VRIozHgfEo AVSapKx5lDfW9WrOlYfJCtw76pwszDoTpZz3EYdSmD7MKhjdARjnDgrynRgHNBcdgtde reY6+2bkMndWBhvJA8/2OL4QByFS7Tp+NF5mPZtzDxDbJVcuBIR/v4deyiFWfGaHO8Bq Toa7D3p94ODce37uETKA1KbFEogyWKmuhz2uH00e0DFYGrYNoTj4xwTc/HyvS+zyHqiT 6rHejnc5WXedq4OZhYjHNyDhHAORtoO6qJBQOk1icuy9ZNz1ycmIzI/EBXsJvcpKlu0R 1xAw==
X-Gm-Message-State: AOJu0YzCzctCCBaD0d7ATu357yW4AeyzybfKPvZ9sIComEB3KFwT9tbN O4fJKLL8nGMPIUdOpHmJd5hwmfNeMem7l+NQbd710G5nImdc5Som1cfILHce0f3ah3hOCQBLfTm G6NyLnMYFviAnpRg2ByyqMX6vN2abrJLtxSiSlfI=
X-Gm-Gg: ASbGncsKLlfQxoCW29E1/15pZxMMu/RXx//kA43HzSTSbfRSXGSlT6gvCSHXGBdCNLs AhQg1Nf8meudeYRLkWRS4m03x+h47W4rOLtmgLnbOr7OuadtG2J/mcKl1WjqYhbOAYNcY8Y25eV ipg/Vo/Q4w6gn60rztlyp/wZ1gsXJXqhqx0jMerDaNIZH3
X-Google-Smtp-Source: AGHT+IFM+Ew970iSwY26aWoR2cPwMOJTLLXTzOYjgn4cav326dXDTdh0zSd868h3VIZPf8D35ATjx66QD9LYRcrxF3I=
X-Received: by 2002:a05:690c:4b8f:b0:703:b3b8:1ca1 with SMTP id 00721157ae682-71668c0ecd5mr117411457b3.5.1751804592664; Sun, 06 Jul 2025 05:23:12 -0700 (PDT)
MIME-Version: 1.0
From: Dick Hardt <dick.hardt@gmail.com>
Date: Sun, 06 Jul 2025 13:22:36 +0100
X-Gm-Features: Ac12FXzbfjlvmpTqDYg7Zf1uUfTDotsL7bsuya5ZdnpJIMO0vDyn-p88XeHfT8k
Message-ID: <CAD9ie-siXCTGFKakq6cOKPuPUnpJPszyzii18dhyVFUr_Z_UwQ@mail.gmail.com>
To: oauth@ietf.org
Content-Type: multipart/alternative; boundary="0000000000007636bf063941ca16"
Message-ID-Hash: G4KDBCMCIIVFTIYEQQQR7DG4DFQ5VT73
X-Message-ID-Hash: G4KDBCMCIIVFTIYEQQQR7DG4DFQ5VT73
X-MailFrom: dick.hardt@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Reply-To: Dick.Hardt@gmail.com
Subject: [OAUTH-WG] coding agents don't follow the spec for parsing Authorization header
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/8L3aqxz4tNICjrJXgUZvO3Oy5XY>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

Hey

I was working with Claude on an MCP server which requires authorization,
and it generated this code,
            const authHeader = request.headers.authorization
            if (authHeader && authHeader.startsWith('Bearer ')) {
                const token = authHeader.split(' ')[1]

which is likely based on patterns in the wild. In the OAuth 2.1 draft we
are making it clear that "Bearer" is case insensitive and that the
separator can be multiple spaces. A client sending

Authorization:   bearer    ey-access-token


would of course fail in this validation. Do we as a WG want to be aligned
with the HTTP spec, or align with what is widely deployed?

/Dick

v2.46.0 | Report a Bug | By Email | System Status