ClientCredentialsTokenHandler doesn't work with Apigee due to use of token_type for auth scheme

[rhyscooper]

Which version of Duende.AccessTokenManagement are you using?
Duende.AccessTokenManagement 3.0.0

Which version of .NET are you using?
net8.0

The ClientCredentialsTokenHandler from Duende.AccessTokenManagement doesn't work with Apigee's oauth 2.0 bearer token implementation due to the token_type being returned being "BearerToken" instead of "Bearer". "BearerToken" is invalid for use as an auth header scheme, therefore all api requests fail with 401. It's clear that Apigee is non-compliant (https://docs.apigee.com/api-platform/reference/policies/oauthv2-policy#non-rfc-compliant-behavior), however as we are consuming someone else's API, we don't control this.

This is similar to the closed issue reported DuendeSoftware/Duende.AccessTokenManagement#38, however that is purely related to case sensitivity of token_type rather than an entirely different token_type being returned from the token api.

It would be useful to be able to override the scheme in the ClientCredentialsClient config and use that instead of the value returned as the token_type.

[leastprivilege]

Where in the code do you see BearerToken added to the header?

[rhyscooper]

Unfortunately "BearerToken" is returned as the "token_type" from Apigee oauth api

https://docs.apigee.com/api-platform/reference/policies/oauthv2-policy#non-rfc-compliant-behavior

The token_type returned in the response is used as the scheme in the SetTokenAsync method
https://github.com/DuendeSoftware/Duende.AccessTokenManagement/blob/b0f2ac089375cecaf7c2f3f83bb52af6ded0e54a/src/Duende.AccessTokenManagement/AccessTokenHandler.cs#L85