analysis of token type of oauth2 plugin

[coxon]

when send request to route which added oauth2 plugin with a oauth2 bearer token, like "Authorization: bearer token", it works as expected, but if i remove token_type as "Authorization:token", the request also authorized.
I read the source code of oauth2 access.lua, the function "parse_access_token()" obtain access_token from "auth_header_name"
and when the token type is not satisfied, a non-null value is still returned.

Is this intentional or a bug?

local function parse_access_token(conf)
  local found_in = {}

  local access_token = kong.request.get_header(conf.auth_header_name)
  if access_token then
    local parts = {}
    for v in access_token:gmatch("%S+") do -- Split by space
      table.insert(parts, v)
    end

    if #parts == 2 and (parts[1]:lower() == "token" or
                        parts[1]:lower() == "bearer") then
      access_token = parts[2]
      found_in.authorization_header = true
    end
  else
    access_token = retrieve_parameters()[ACCESS_TOKEN]
    if type(access_token) ~= "string" then
      return
    end
  end

  if conf.hide_credentials then
    if found_in.authorization_header then
      kong.service.request.clear_header(conf.auth_header_name)

    else
      -- Remove from querystring
      local parameters = kong.request.get_query()
      parameters[ACCESS_TOKEN] = nil
      kong.service.request.set_query(parameters)

      local content_type = kong.request.get_header("content-type")
      local is_form_post = content_type and
        string_find(content_type, "application/x-www-form-urlencoded", 1, true)

      if kong.request.get_method() ~= "GET" and is_form_post then
        -- Remove from body
        parameters = kong.request.get_body() or {}
        parameters[ACCESS_TOKEN] = nil
        kong.service.request.set_body(parameters)
      end
    end
  end

  return access_token
end

[bungle]

It looks like it was first introduced in Kong 0.15.0 in this commit:
bfbb0d3

From the looks of the code, it does seem that this was not expected behavior.

The code will enter to:

if access_token then

But does not set:

found_in.authorization_header = true

But it still retunrs the access_token.

Thus I believe that this was probably not an intent. This has been though in a code for very long. Thus, has it became a feature?

So two ways:

1. also set the found_in.authorization_header = true, OR
2. disallow Authorization header if it is missing bearer or token (I am not sure where that token came from)

@coxon, have you found some particular issue because of it?