The spec does clearly require form-encoded POST requests to the token endpoint, it's not just an implication. The requests made include simple key/value pairs so there's nothing really gained by making this a JSON post. Changing that at this point would be a drastic breaking change to pretty much all existing code for very little benefit if any.
That said, Justin Richer did already write up a draft exploring this topic, but it hasn't shown much interest in the group yet. https://www.ietf.org/id/draft-richer-oauth-json-request-00.html Aaron On Tue, Oct 6, 2020 at 7:18 AM Janak Amarasena <janakama...@gmail.com> wrote: > Hi All, > > As per my understanding OAuth 2(RFC6749) doesn't mandate any specific > media type to be used in the access token request. The spec implies > application/x-www-form-urlencoded should be used. Since the media type > application/json is very popular and widely used now, any thoughts on > referencing the use of this as well for access token requests? > > Best Regards, > Janak Amarasena > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- --- Aaron Parecki https://aaronparecki.com
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth