Canonicalize OAuth Bearer scheme when building Authorization header (#821)

Identity providers may return `token_type` in any case (e.g. `bearer`,
`BEARER`) per RFC 6749/6750, but some downstream servers and proxies
reject anything other than the canonical `Bearer`. This caused
intermittent auth failures depending on the IdP's response casing.

Adds `Token.getCanonicalTokenType()`, which returns `Bearer` whenever
`tokenType` case-insensitively matches `bearer` and otherwise returns
the original value untouched. Routes the three `Authorization` header
construction sites through the new helper:
`OAuthHeaderFactory.fromTokenSource`, `AzureCliCredentialsProvider`, and
`ServingEndpointsDataPlaneImpl`. Non-Bearer schemes (e.g. `MAC`, custom)
are unchanged.

Original change authored by @mkazia in #788; this branch is the same
change rebased onto current main with the changelog conflict resolved,
opened from origin so CI runs with OIDC. #788 can be closed once this
merges.

Tests: `TokenTest` and `OAuthHeaderFactoryTest` cover Bearer casing
normalization, non-Bearer pass-through, and the assembled
`Authorization: Bearer <token>` header; 12 passed locally against
current main.

---------

Co-authored-by: Mubashir Kazia <mkazia@gmail.com>
Co-authored-by: mkazia <3633226+mkazia@users.noreply.github.com>

Author: renaudhartert-db

NEXT_CHANGELOG.md

@@ -7,6 +7,7 @@
 ### Breaking Changes
 
 ### Bug Fixes
+* Canonicalize Bearer tokenType in Authorization headers
 
 ### Security Vulnerabilities
 
@@ -15,3 +16,4 @@
 ### Internal Changes
 
 ### API Changes
+* Add `getCanonicalTokenType()` method for `com.databricks.sdk.core.oauth.Token`

databricks-sdk-java/src/main/java/com/databricks/sdk/core/AzureCliCredentialsProvider.java

@@ -99,7 +99,8 @@ public OAuthHeaderFactory configure(DatabricksConfig config) {
           () -> {
             Token token = tokenSource.getToken();
             Map<String, String> headers = new HashMap<>();
-            headers.put("Authorization", token.getTokenType() + " " + token.getAccessToken());
+            headers.put(
+                "Authorization", token.getCanonicalTokenType() + " " + token.getAccessToken());
             if (finalMgmtTokenSource != null) {
               AzureUtils.addSpManagementToken(finalMgmtTokenSource, headers);
             }

databricks-sdk-java/src/main/java/com/databricks/sdk/core/oauth/OAuthHeaderFactory.java

@@ -51,7 +51,7 @@ public Token getToken() {
       public Map<String, String> headers() {
         Token token = tokenSource.getToken();
         Map<String, String> headers = new HashMap<>();
-        headers.put("Authorization", token.getTokenType() + " " + token.getAccessToken());
+        headers.put("Authorization", token.getCanonicalTokenType() + " " + token.getAccessToken());
         return headers;
       }
     };

databricks-sdk-java/src/main/java/com/databricks/sdk/core/oauth/Token.java

@@ -51,6 +51,22 @@ public String getTokenType() {
     return tokenType;
   }
 
+  /**
+   * Returns the token type canonicalized for use as the Authorization header scheme. Per RFC 6749
+   * §5.1 / RFC 6750 §2.1, identity providers may return {@code token_type} in any case (e.g.
+   * "bearer", "BEARER"). Some downstream servers and proxies reject anything other than the
+   * canonical "Bearer" capitalization, so we normalize that scheme here. Other schemes are returned
+   * unchanged.
+   *
+   * @return the canonicalized token type
+   */
+  public String getCanonicalTokenType() {
+    if ("bearer".equalsIgnoreCase(tokenType)) {
+      return "Bearer";
+    }
+    return tokenType;
+  }
+
   /**
    * Returns the refresh token, if available. May be null for non-refreshable tokens.
    *

databricks-sdk-java/src/main/java/com/databricks/sdk/service/serving/ServingEndpointsDataPlaneImpl.java

@@ -36,7 +36,19 @@ private static Stream<Arguments> provideTokenSourceTestCases() {
         Arguments.of(
             "Token with custom type",
             new Token(TOKEN_VALUE, "Custom", expiry),
-            Collections.singletonMap("Authorization", "Custom " + TOKEN_VALUE)));
+            Collections.singletonMap("Authorization", "Custom " + TOKEN_VALUE)),
+        Arguments.of(
+            "Lowercase bearer is canonicalized",
+            new Token(TOKEN_VALUE, "bearer", expiry),
+            Collections.singletonMap("Authorization", "Bearer " + TOKEN_VALUE)),
+        Arguments.of(
+            "Uppercase BEARER is canonicalized",
+            new Token(TOKEN_VALUE, "BEARER", expiry),
+            Collections.singletonMap("Authorization", "Bearer " + TOKEN_VALUE)),
+        Arguments.of(
+            "Mixed-case BeArEr is canonicalized",
+            new Token(TOKEN_VALUE, "BeArEr", expiry),
+            Collections.singletonMap("Authorization", "Bearer " + TOKEN_VALUE)));
   }
 
   @ParameterizedTest(name = "{0}")

databricks-sdk-java/src/test/java/com/databricks/sdk/core/oauth/OAuthHeaderFactoryTest.java

@@ -29,4 +29,20 @@ void createRefreshableToken() {
     assertEquals(refreshToken, token.getRefreshToken());
     assertEquals(currentInstant.plusSeconds(300), token.getExpiry());
   }
+
+  @Test
+  void canonicalTokenTypeNormalizesBearerCasing() {
+    Instant expiry = currentInstant.plusSeconds(300);
+    assertEquals("Bearer", new Token(accessToken, "Bearer", expiry).getCanonicalTokenType());
+    assertEquals("Bearer", new Token(accessToken, "bearer", expiry).getCanonicalTokenType());
+    assertEquals("Bearer", new Token(accessToken, "BEARER", expiry).getCanonicalTokenType());
+    assertEquals("Bearer", new Token(accessToken, "BeArEr", expiry).getCanonicalTokenType());
+  }
+
+  @Test
+  void canonicalTokenTypePreservesNonBearerSchemes() {
+    Instant expiry = currentInstant.plusSeconds(300);
+    assertEquals("Custom", new Token(accessToken, "Custom", expiry).getCanonicalTokenType());
+    assertEquals("MAC", new Token(accessToken, "MAC", expiry).getCanonicalTokenType());
+  }
 }