List Tokens Bug?

I’ve been trying to list my tokens via the Cloud API.

I was getting a Unauthorised response back when I send my credentials in using Basic Auth in the header.

GET Headers [Accept=application/json,Accept-Encoding=gzip, deflate,Authorization=BASIC BASE64_ENCODED_CREDENTIALS_HERE]

The cloud API complained like anything that I wasn’t sending in any credentials when I was. So I did some adjusting and changed the request to

GET Headers [Accept=application/json,Accept-Encoding=gzip, deflate,Authorization=Basic BASE64_ENCODED_CREDENTIALS_HERE]

Which worked. I was wondering if this was a bug or how it was specifically meant to work? Without knowing too much about BasicAuth I figured writing BASIC in any case would be ok. Thought I’d share if anyone else was seeing similar things.

HTTP headers are (usually/always?) case-insensitive, so either case should work. But it’s easy to miss something like this when coding an api!

cc’ing @jgoggins who I think is the API wizard!

Hey @elbeardo ,

At first glance, I thought, “gosh, yea, that does seem like a bug.”, I was surprised to find in the oauth2 spec, that it does in fact have to be “Basic”, NOT “BASIC”, i.e. case does matter. I also verified that this is the case in our implementation of this spec too.

Thanks for the heads up, and cheers to learning :beers: !


@mdma @jgoggins

Thanks guys! Really appreciate it. It’s amazing how much case matters in these things. Onwards and upwards though :smile: