Sections 4.1.4, 4.3.3, 5.1 and 5.2 requires that entity bodies in HTTP responses be in "application/json". Is my understanding correct? If so, this is awkward for services that rely solely on XML formats for communication.
Can the standard explicitly accommodate implementors that want to return other (agreed upon) formats based on the HTTP Accept header? For example, is a consumer requests a token from an Authorization Server with an accept Accept header of "text/xml" then the response will be formatted as XML. The schema describing that document can be standardized, if needed. If it is "application/json" the response will be formatted accordingly. In the case of unsupported formats, the authorization server should return HTTP status code 406 to be consistent with the way HTTP works. Thanks, Werner _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
