Support Bearer for authentication scheme

[sandeesh]

The RFC specification requires the use of 'Bearer' as the authentication scheme. The 'Bearer' scheme is also registered with the IANA. Most JWT packages and tools use 'Bearer' as the default scheme.

http://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml
https://tools.ietf.org/html/rfc6750
https://tools.ietf.org/html/rfc7523
https://en.wikipedia.org/wiki/JSON_Web_Token

[Cameron-C-Chapman]

I was thinking the same thing, Bearer is the standard, not Token.

[EricSimons]

Just talked with @apai4 and we're thinking of having the backends support both so that there's backwards compatibility. It's not uncommon to see non-Bearer versions in libs, so doing a hard swap for all FE's/BE's seems unnecessary, but eventually we may just deprecate token/etc.

[Cameron-C-Chapman]

Supporting both works. I've seen Token, Auth, Authorization, and Bearer but Bearer is the standard. I'll get the Spring backend setup to support either and I think that's a good solution going forward.

[jamesbrewerdev]

Is there anything left to add to this conversation or do we have a consensus? If the latter, should this issue be closed?

[sandeesh]

So the conclusion is that we enable support for both the schemes across all backends then?

[Cameron-C-Chapman]

I think so @SandeeshS but we should probably add some notes to the spec before we close this out.

[sandeesh]

@Cameron-C-Chapman absolutely. There's almost 25+ backends in progress/complete at the moment. We need to make sure we inform changes such as these to all the current backend developers in a proper manner. Also document this in the both frontend and backend spec.

[jamesbrewerdev]

Sounds good. I'll leave yall to it then.

Anytime we're talking about adding something to the spec, it's necessary to wait until @EricSimons signs off on it. He's got the best view of the project as a whole and is best equipped to make sure a call and bring our attention to things we haven't considered.