Keycloak token endpoint response JSON with improper token_type='bearer', should it be 'Bearer' as according to OIDC spec?

I see that keycloak (9.0.x) token endpoint response JSON with the token_type claim = ‘bearer’…


in the OIDC specification, it state that the ‘token_type’ MUST be ‘Bearer’ (but not ‘bearer’…)

So, is it that keycloak / RHSSO deviate from the specification? a bug?


That spec doesn’t indicate case sensitivity. According to that spec, “The parameters in the successful response are defined in Section 4.1.4 of OAuth 2.0 [RFC6749]”, which states:

         REQUIRED.  The type of the token issued as described in
         Section 7.1.  Value is case insensitive.



i see from the OIDC specification (as well as the examples) indicate ‘Bearer’…:

The OAuth 2.0 token_type response parameter value MUST be Bearer, as specified in OAuth 2.0 Bearer Token Usage [RFC6750], unless another Token Type has been negotiated with the Client.

Need to cross check with the OAuth 2.0 specification too…!