In the text on the authorization and token endpoints an assumption is made that the query component of the URLs will be specified based on x-www-form-urlencoded. But in fact that is never explicitly stated. What is explicitly stated is that RFC 3986 section 3 has to be used (and then only for the authorization endpoint, not the token endpoint). But section 3 just defines what characters can be used in a query component, it says nothing about x-www-form-urlencoded. Suggest that the specification needs to normatively state that we are requiring all authorization endpoints that use the query component to do so using x-www-form-urlencoded. Where RFC 5552 comes into the picture is in cases where the request body is an html form. In that case it makes sense to natively encode the form content using UTF-8. So this only applies to OAuth requests that use the request body. So this would apply to sections 2.4.1, 3.1, 3.2, 4.1.3, 4.3.2 & 4.4.2. Really, anywhere that a request can be made in the request body
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
