Skip to content

Canonicalize OAuth Bearer scheme when building Authorization header #788

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
mkazia wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Canonicalize OAuth Bearer scheme when building Authorization header #788

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
75314eb
Canonicalize OAuth Bearer scheme when building Authorization header
mkazia May 4, 2026
13f0eb5
Merge pull request #1 from mkazia/oauth_bearer_fix
mkazia May 4, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion databricks-sdk-java/src/main/java/com/databricks/sdk/core/AzureCliCredentialsProvider.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -99,7 +99,8 @@ public OAuthHeaderFactory configure(DatabricksConfig config) {
() -> {
Token token = tokenSource.getToken();
Map<String, String> headers = new HashMap<>();
headers.put("Authorization", token.getTokenType() + " " + token.getAccessToken());
headers.put(
"Authorization", token.getCanonicalTokenType() + " " + token.getAccessToken());
if (finalMgmtTokenSource != null) {
AzureUtils.addSpManagementToken(finalMgmtTokenSource, headers);
}
Expand Down
3 changes: 2 additions & 1 deletion databricks-sdk-java/src/main/java/com/databricks/sdk/core/oauth/OAuthHeaderFactory.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,8 @@ public Token getToken() {
public Map<String, String> headers() {
Token token = tokenSource.getToken();
Map<String, String> headers = new HashMap<>();
headers.put("Authorization", token.getTokenType() + " " + token.getAccessToken());
headers.put(
"Authorization", token.getCanonicalTokenType() + " " + token.getAccessToken());
return headers;
}
};
Expand Down
16 changes: 16 additions & 0 deletions databricks-sdk-java/src/main/java/com/databricks/sdk/core/oauth/Token.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,22 @@ public String getTokenType() {
return tokenType;
}

/**
* Returns the token type canonicalized for use as the Authorization header scheme. Per RFC 6749
* §5.1 / RFC 6750 §2.1, identity providers may return {@code token_type} in any case (e.g.
* "bearer", "BEARER"). Some downstream servers and proxies reject anything other than the
* canonical "Bearer" capitalization, so we normalize that scheme here. Other schemes are returned
* unchanged.
*
* @return the canonicalized token type
*/
public String getCanonicalTokenType() {
if ("bearer".equalsIgnoreCase(tokenType)) {
return "Bearer";
}
return tokenType;
}

/**
* Returns the refresh token, if available. May be null for non-refreshable tokens.
*
Expand Down
2 changes: 1 addition & 1 deletion ...-java/src/main/java/com/databricks/sdk/service/serving/ServingEndpointsDataPlaneImpl.java
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

14 changes: 13 additions & 1 deletion databricks-sdk-java/src/test/java/com/databricks/sdk/core/oauth/OAuthHeaderFactoryTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,19 @@ private static Stream<Arguments> provideTokenSourceTestCases() {
Arguments.of(
"Token with custom type",
new Token(TOKEN_VALUE, "Custom", expiry),
Collections.singletonMap("Authorization", "Custom " + TOKEN_VALUE)));
Collections.singletonMap("Authorization", "Custom " + TOKEN_VALUE)),
Arguments.of(
"Lowercase bearer is canonicalized",
new Token(TOKEN_VALUE, "bearer", expiry),
Collections.singletonMap("Authorization", "Bearer " + TOKEN_VALUE)),
Arguments.of(
"Uppercase BEARER is canonicalized",
new Token(TOKEN_VALUE, "BEARER", expiry),
Collections.singletonMap("Authorization", "Bearer " + TOKEN_VALUE)),
Arguments.of(
"Mixed-case BeArEr is canonicalized",
new Token(TOKEN_VALUE, "BeArEr", expiry),
Collections.singletonMap("Authorization", "Bearer " + TOKEN_VALUE)));
}

@ParameterizedTest(name = "{0}")
Expand Down
16 changes: 16 additions & 0 deletions databricks-sdk-java/src/test/java/com/databricks/sdk/core/oauth/TokenTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,4 +29,20 @@ void createRefreshableToken() {
assertEquals(refreshToken, token.getRefreshToken());
assertEquals(currentInstant.plusSeconds(300), token.getExpiry());
}

@Test
void canonicalTokenTypeNormalizesBearerCasing() {
Instant expiry = currentInstant.plusSeconds(300);
assertEquals("Bearer", new Token(accessToken, "Bearer", expiry).getCanonicalTokenType());
assertEquals("Bearer", new Token(accessToken, "bearer", expiry).getCanonicalTokenType());
assertEquals("Bearer", new Token(accessToken, "BEARER", expiry).getCanonicalTokenType());
assertEquals("Bearer", new Token(accessToken, "BeArEr", expiry).getCanonicalTokenType());
}

@Test
void canonicalTokenTypePreservesNonBearerSchemes() {
Instant expiry = currentInstant.plusSeconds(300);
assertEquals("Custom", new Token(accessToken, "Custom", expiry).getCanonicalTokenType());
assertEquals("MAC", new Token(accessToken, "MAC", expiry).getCanonicalTokenType());
}
}
Loading