[I tried to articulate this at IETF 117 but maybe didn't do a good job so want to try again here "on record"]
It seems quite reasonable to have the initial Authorization Challenge Request be application/x-www-form-urlencoded as it is consistent with OAuth 2.x in general. But I worry that it'll be too limiting for the in-between follow-up requests to the challenge endpoint. That part is effectively facilitating an AS defined authn/z API (which I do think is appropriate rather than attempting to define something here) but I suspect folks will really not want the requests on such an API to have to be application/x-www-form-urlencoded. And probably/maybe will want more flexibility on the content of the JSON responses too.
We agree, Section 5.1 should mention that future requests to the endpoint are defined by the authorization server, not by this specification, and may be in formats other than application/x-www-form-urlencoded
[I tried to articulate this at IETF 117 but maybe didn't do a good job so want to try again here "on record"]
It seems quite reasonable to have the initial Authorization Challenge Request be
application/x-www-form-urlencoded
as it is consistent with OAuth 2.x in general. But I worry that it'll be too limiting for the in-between follow-up requests to the challenge endpoint. That part is effectively facilitating an AS defined authn/z API (which I do think is appropriate rather than attempting to define something here) but I suspect folks will really not want the requests on such an API to have to beapplication/x-www-form-urlencoded
. And probably/maybe will want more flexibility on the content of the JSON responses too.