From 05d68af54e74b4d2df11fe300a6217d6a92f37de Mon Sep 17 00:00:00 2001
From: Benjamin Dauvergne <bdauvergne@entrouvert.com>
Date: Mon, 15 Apr 2019 11:50:32 +0200
Subject: [PATCH] auth_oidc: compare token_type case insensitively (fixes
 #32281)

---
 src/authentic2_auth_oidc/views.py | 7 +++++--
 tests/test_auth_oidc.py           | 4 +++-
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/src/authentic2_auth_oidc/views.py b/src/authentic2_auth_oidc/views.py
index d5c28bd0..f416dd71 100644
--- a/src/authentic2_auth_oidc/views.py
+++ b/src/authentic2_auth_oidc/views.py
@@ -166,8 +166,11 @@ class LoginCallback(View):
                                  'request_id': request.request_id,
             })
             return self.continue_to_next_url()
-        if ('access_token' not in result or 'token_type' not in result or
-                result['token_type'] != 'Bearer' or 'id_token' not in result):
+        # token_type is case insensitive, https://tools.ietf.org/html/rfc6749#section-4.2.2
+        if ('access_token' not in result
+                or 'token_type' not in result
+                or result['token_type'].lower() != 'bearer'
+                or 'id_token' not in result):
             logger.warning(u'auth_oidc: invalid token endpoint response from %s: %r' % (
                 provider.token_endpoint, result))
             messages.warning(request, _('Provider %(name)s is down, report %(request_id)s to '
diff --git a/tests/test_auth_oidc.py b/tests/test_auth_oidc.py
index 05392540..4ac16343 100644
--- a/tests/test_auth_oidc.py
+++ b/tests/test_auth_oidc.py
@@ -4,6 +4,7 @@ import os
 import pytest
 import json
 import time
+import random
 
 from jwcrypto.jwk import JWKSet, JWK
 from jwcrypto.jwt import JWT
@@ -199,7 +200,8 @@ def oidc_provider_mock(oidc_provider, oidc_provider_jwkset, code, extra_id_token
 
             content = {
                 'access_token': '1234',
-                'token_type': 'Bearer',
+                # check token_type is case insensitive
+                'token_type': random.choice(['B', 'b']) + 'earer',
                 'id_token': jwt.serialize(),
             }
             return {
-- 
2.20.1