These intermediate requests are out of scope of this specification, and are expected to be defined by the authorization server. The format of these requests is not required to conform to the format of the initial authorization challenge requests (e.g. the request format may be application/json rather than application/x-www-form-urlencoded)
paragraphs like this that leave a lot to the implementations in places that impact interoperability make me wonder what drives the need for the interoperability in this specification? I mean, if it is first part client and first party AS, they can define and follow their own internal specification, right? but there must have been the need for this draft. making those boundaries clearer would really help the reader.
from section 5.3,
paragraphs like this that leave a lot to the implementations in places that impact interoperability make me wonder what drives the need for the interoperability in this specification? I mean, if it is first part client and first party AS, they can define and follow their own internal specification, right? but there must have been the need for this draft. making those boundaries clearer would really help the reader.