indieauth icon indicating copy to clipboard operation
indieauth copied to clipboard

Published 20 hours ago verified publisher icon indieweb

Require Accept headers in requests.

Open Zegnat opened this issue 3 years ago • 2 comments

More strictly define the requests we expect clients to send to the endpoints, outside of just the (generally treated as non-normative) examples. This adds:

  1. The requirement for an HTTP Accept header of application/json when redeeming the authorization code. This hopefully avoids new clients having problems with old authorization endpoints that could have answered with an application/x-www-form-urlencoded response.
  2. The requirement for an HTTP Accept header of application/json when verifying a Bearer Token at the token endpoint.

As it ads language about the Accept header, it also clarifies the use of URL spec's application/x-www-form-urlencoded format and its matching Content-Type header to the redeem step.

Fixes #18. (I think.)

Zegnat avatar Nov 22 '20 12:11 Zegnat