oauth-v2-1 icon indicating copy to clipboard operation
oauth-v2-1 copied to clipboard

Published 20 hours ago verified publisher icon oauth-wg

Character encoding for the application/x-www-form-urlencoded format

Open adeinega opened this issue 1 year ago • 1 comments

Section 3.2.2 Tokens states that

The client makes a request to the token endpoint by sending the following parameters using the application/x-www-form-urlencoded format per Appendix B with a character encoding of UTF-8 in the HTTP request content:

However, the following example does not include UTF-8 as character encoding

POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded

it should look like as

POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded; charset=UTF-8;

the same applies for all other similar examples in the spec.

How is this important? In some (rare) cases, it can lead to interoperability issues as app servers & frameworks that run an AS do not necessarily use "UTF-8" as a default encoding character, as an example, Java Servlets use "ISO-8859-1". So, it is better for a client to always specify the character explicitly.

adeinega avatar Jan 22 '24 18:01 adeinega