In the ten years since OAuth started, we’ve seen a huge shift away from form
encoding to JSON encoding for sending data to a server. And yet, OAuth is stuck
with form encoding. So I thought, why can’t we change that?
I put together a quick proposal for how this would work.
https://www.ietf.org/id/draft-richer-oauth-json-request-00.html
<https://www.ietf.org/id/draft-richer-oauth-json-request-00.html>
The basic idea is that you take the map of form inputs and make it into a JSON
object. For some fields, like scope and authorization_details, you can define a
JSON-specific encoding to make use of object and array structures native to
JSON. You also don’t have to url-encode values inside the JSON strings.
Caveat, I haven’t tried implementing this yet, but I think it’s not likely to
be that difficult for either the client or server side of things. At worst it
seems like it’d be a pretty simple middleware function. Functionality can be
detected at the AS by the content negotiation in HTTP (client sends
content-type of JSON), and can be advertised as an option in the metadata (or
in an OPTIONS call to the token endpoint, to be more HTTP-friendly).
— Justin
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth