content of follow-up requests to the challenge endpoint

[bc-pi]

[I tried to articulate this at IETF 117 but maybe didn't do a good job so want to try again here "on record"]

It seems quite reasonable to have the initial Authorization Challenge Request be application/x-www-form-urlencoded as it is consistent with OAuth 2.x in general. But I worry that it'll be too limiting for the in-between follow-up requests to the challenge endpoint. That part is effectively facilitating an AS defined authn/z API (which I do think is appropriate rather than attempting to define something here) but I suspect folks will really not want the requests on such an API to have to be application/x-www-form-urlencoded. And probably/maybe will want more flexibility on the content of the JSON responses too.

[aaronpk]

We agree, Section 5.1 should mention that future requests to the endpoint are defined by the authorization server, not by this specification, and may be in formats other than application/x-www-form-urlencoded