From f1ed3328f85ba86f6ca346078f13de458f6bfab9 Mon Sep 17 00:00:00 2001
From: Andy Clayton <aclayton@conserviscorp.com>
Date: Fri, 20 Jul 2018 12:40:23 -0500
Subject: [PATCH] Accept lowercase "bearer" in Authorization header

We ran into a client that blindly takes the value of token_type, which
is lowercase "bearer", and passes that back in the Authorization header.
In an earlier PR #99 there seemed to be some support for this change to
simply accept "bearer" in addition to "Bearer".
---
 docs/sections/changelog.rst                      |  1 +
 oidc_provider/lib/utils/oauth2.py                |  2 +-
 .../tests/cases/test_userinfo_endpoint.py        | 16 ++++++++++++++--
 3 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/docs/sections/changelog.rst b/docs/sections/changelog.rst
index ba6bd79..0def865 100644
--- a/docs/sections/changelog.rst
+++ b/docs/sections/changelog.rst
@@ -9,6 +9,7 @@ Unreleased
 ==========
 
 * Added: support introspection on client credentials tokens.
+* Changed: accept lowercase "bearer" in Authorization header.
 * Fixed: ScopeClaims class.
 * Fixed: code is not zip safe.
 
diff --git a/oidc_provider/lib/utils/oauth2.py b/oidc_provider/lib/utils/oauth2.py
index 452325f..fcdd68a 100644
--- a/oidc_provider/lib/utils/oauth2.py
+++ b/oidc_provider/lib/utils/oauth2.py
@@ -21,7 +21,7 @@ def extract_access_token(request):
     """
     auth_header = request.META.get('HTTP_AUTHORIZATION', '')
 
-    if re.compile('^Bearer\s{1}.+$').match(auth_header):
+    if re.compile('^[Bb]earer\s{1}.+$').match(auth_header):
         access_token = auth_header.split()[1]
     else:
         access_token = request.GET.get('access_token', '')
diff --git a/oidc_provider/tests/cases/test_userinfo_endpoint.py b/oidc_provider/tests/cases/test_userinfo_endpoint.py
index dc26371..832d435 100644
--- a/oidc_provider/tests/cases/test_userinfo_endpoint.py
+++ b/oidc_provider/tests/cases/test_userinfo_endpoint.py
@@ -59,7 +59,7 @@ class UserInfoTestCase(TestCase):
 
         return token
 
-    def _post_request(self, access_token):
+    def _post_request(self, access_token, schema='Bearer'):
         """
         Makes a request to the userinfo endpoint by sending the
         `post_data` parameters using the 'multipart/form-data'
@@ -69,7 +69,7 @@ class UserInfoTestCase(TestCase):
 
         request = self.factory.post(url, data={}, content_type='multipart/form-data')
 
-        request.META['HTTP_AUTHORIZATION'] = 'Bearer ' + access_token
+        request.META['HTTP_AUTHORIZATION'] = schema + ' ' + access_token
 
         response = userinfo(request)
 
@@ -84,6 +84,18 @@ class UserInfoTestCase(TestCase):
         self.assertEqual(response.status_code, 200)
         self.assertEqual(bool(response.content), True)
 
+    def test_response_with_valid_token_lowercase_bearer(self):
+        """
+        Some clients expect to be able to pass the token_type value from the token endpoint
+        ("bearer") back to the identity provider unchanged.
+        """
+        token = self._create_token()
+
+        response = self._post_request(token.access_token, schema='bearer')
+
+        self.assertEqual(response.status_code, 200)
+        self.assertEqual(bool(response.content), True)
+
     def test_response_with_expired_token(self):
         token = self._create_token()