Purpose of auth-scheme in HTTP Authorization header

Question

I have a question regarding the auth-scheme. I stumble across JSON Web Tokens and one of the official page:

https://jwt.io/introduction/

They use

Authorization: Bearer <token>

In the past, I am familiar with the Authorization: JWT <token> and had assume that was correct until today, I read the official JWT webpage and they used Bearer <token> instead.

I was testing the Knock Rails gem: https://github.com/nsarno/knock and with this library, I was able to make a Postman request to my Rails API with random auth-scheme:

I could even get rid of the auth-scheme completely:

When I remove my JWT token from the Authorization header, however, it returns 401 Unauthorized response as expected, so I know it's...working?

So I began to think...is there a purpose to the auth-scheme ?

Is a library or web server suppose to honour/respect/enforce the correct usage of auth-scheme in the Authorization header?

I came across this Stackoverflow post in my quest for answer:

Custom HTTP Authorization Header

It showed the official format is:

credentials = auth-scheme #auth-param

The example given was even more bizarre:

Authorization: FIRE-TOKEN apikey="0PN5J17HBGZHT7JJ3X82", hash="frJIUN8DYpKDtOLCwo//yllqDzg="

I don't know if this qualifies as a programming question. I can blindly follow/use a third party library.

What's the purpose of the auth-scheme ?

I'm no cryptography/computer security expert.

Maybe someone can shed some light on the issue (or maybe non-issue?) ?

Answer 1

The authorization scheme is just an indication to the server of what type of credentials are following. A client can use basic scheme

Authorization: Basic <base64(username:password)>

Or bearer scheme

Authorization: Bearer <base64(JWT)>

Or the Hawk scheme

Authorization: Hawk id="...", ts="...", nonce="...", ext="...", mac="..."

Or any other scheme it can agree on with the server.