feat: add specCompliance option, option to set case insensitive for bearerType

[Uzlopak]

Resolves #169

Checklist

• run npm run test and npm run benchmark
• tests and/or benchmarks are included
• documentation is changed or added
• commit message and code follows the Developer's Certification of Origin
  and the Code of conduct

[Uzlopak]

@climba03003
@mcollina
@jsumners

I applied the requested change by @climba03003 . I personally dont know why rfc6749 is case insensitive but rfc6750 is case sensitive. I feel a little bit "blind" now after reading multiple times in these rfcs. But I trust your assessment. ;).

[mcollina]

lgtm

[Uzlopak]

Happy new year, lol

[jogu]

Could you please clarify where you think RFC6750 says the HTTP authentication scheme name should be treated case sensitively?

I cannot find this stated.

I know that people do often look at this section https://www.rfc-editor.org/rfc/rfc6750#section-2.1 where it says:

credentials = "Bearer" 1*SP b64token

and assume this means case sensitive, however as per the document that defines this ABNF syntax, https://www.rfc-editor.org/rfc/rfc5234#section-2.3 (see screenshot below), this is defining "Bearer" to be case insensitive:

The underlying spec that defines HTTP authentication (which is what RFC6750 builds upon), https://www.rfc-editor.org/rfc/rfc9110#name-authentication-scheme states:

"It uses a case-insensitive token to identify the authentication scheme:”)

[climba03003]

@jogu
Look's like you are correct as it is using the ABNF syntax.
It is really a problem in the interpretation of specification requires such a deep knowledge and dig through.

According to the issue linked from this PR and all the reference inside.
Seems like we are not the only one who interpret it wrongly and agreed on it is case-sensitive.
What a disaster.

[jogu]

Yeah, definitely. As I said in oauth-wg/oauth-v2-1#166 I hope this can be clarified in the upcoming 2.1 revision of the OAuth specification so that it's not such a big issue in the future.