In the default case, aren't the challenge and verifier just an arbitrary string value? One that would be application/x-www-form-urlencoded on the authorization request (http://tools.ietf.org/html/rfc6749#section-4.1.1) and token request (http://tools.ietf.org/html/rfc6749#section-4.1.3) like any other parameter value? If the client uses unreserved characters then no additional encoding is needed but I"m not sure I see any reason to restrict it.
If a transform is used, I'd think that the transform defines how the octets are represented as strings.
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
