Andrii Deinega

@xorkevin, yes, it's a must.

@googlebot I signed it!

It's fine to omit the `client_secret` parameter for certain use cases 1. public and/or native clients, for details, see the Client Authentification section in https://datatracker.ietf.org/doc/html/rfc8252#section-8.5 for more details 2. when...

I'd suggest trying to go with https://github.com/go-json-experiment/json, have a look also at its [goals](https://github.com/go-json-experiment/json?tab=readme-ov-file#goals-and-objectives).

I support this. There are other ways to communicate events including doing that in a bidirectional way, for instance, WebSockets (which is a decent option in my view). There should...

Using simple string comparison for redirect URIs is not always possible due to the usage of randomly assigned ports in Redirect URIs for public (native) clients. The OpenID Connect Core...

You are right, it is well understood how the token endpoint works but I did not suggest redefining it differently. The charset parameter does not change anything, "application/x-www-form-urlencoded" remains to...

Just for the record, https://github.com/openid/OpenID4VP/issues/40 is about the same but in [OpenID4VP](https://github.com/openid/OpenID4VP). https://www.iana.org/assignments/media-types/application/x-www-form-urlencoded considers only 7bit encoding.

@jogu, https://url.spec.whatwg.org/#urlencoded-parsing gives a very precise description (I've seen so far) with what we're dealing here > The application/x-www-form-urlencoded format is in many ways an aberrant monstrosity, the result of...

To address both concerns, the specification may suggest to not include this (and other extra) information. As an example, the standard GoLang [compress/gzip package](https://pkg.go.dev/compress/gzip#Header) comes with good defaults OTB (everything...