diff --git a/internal/authz/oidc.go b/internal/authz/oidc.go
index d77ba90d..d5a2d8f6 100644
--- a/internal/authz/oidc.go
+++ b/internal/authz/oidc.go
@@ -528,7 +528,7 @@ func performIDPRequest(log telemetry.Logger, client *http.Client, uri string, fo
 // https://openid.net/specs/openid-connect-core-1_0.html#TokenResponse
 func isValidIDPNewTokensResponse(log telemetry.Logger, config *oidcv1.OIDCConfig, tokenResponse *idpTokensResponse) bool {
 	// token_type must be Bearer
-	if tokenResponse.TokenType != "Bearer" {
+	if !strings.EqualFold(tokenResponse.TokenType, "Bearer") {
 		log.Info("token type is not Bearer in token response", "token-type", tokenResponse.TokenType)
 		return false
 	}
@@ -553,7 +553,7 @@ func isValidIDPNewTokensResponse(log telemetry.Logger, config *oidcv1.OIDCConfig
 // https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokenResponse
 func isValidIDPRefreshTokenResponse(log telemetry.Logger, tokenResponse *idpTokensResponse) bool {
 	// token_type must be Bearer
-	if tokenResponse.TokenType != "Bearer" {
+	if !strings.EqualFold(tokenResponse.TokenType, "Bearer") {
 		log.Info("token type is not Bearer in token response", "token-type", tokenResponse.TokenType)
 		return false
 	}
diff --git a/internal/authz/oidc_test.go b/internal/authz/oidc_test.go
index c54a4e1d..c51355d2 100644
--- a/internal/authz/oidc_test.go
+++ b/internal/authz/oidc_test.go
@@ -868,6 +868,24 @@ func TestOIDCProcess(t *testing.T) {
 				requireStoredState(t, store, sessionID, false)
 			},
 		},
+		{
+			name:                "IDP server returns lowercase 'bearer' token, succeeds",
+			req:                 withSessionHeader,
+			storedTokenResponse: expiredTokenResponse,
+			mockTokensResponse: &idpTokensResponse{
+				IDToken:     validIDToken,
+				AccessToken: "access-token",
+				TokenType:   "bearer",
+				ExpiresIn:   10,
+			},
+			responseVerify: func(t *testing.T, resp *envoy.CheckResponse) {
+				require.Equal(t, int32(codes.OK), resp.GetStatus().GetCode())
+				require.NotNil(t, resp.GetOkResponse())
+				requireTokensInResponse(t, resp.GetOkResponse(), basicOIDCConfig, validIDToken, "access-token")
+				requireStoredTokens(t, store, sessionID, true)
+				requireStoredTokens(t, store, newSessionID, false)
+			},
+		},
 		{
 			name:                "succeed",
 			req:                 withSessionHeader,