Open Zegnat opened 3 years ago
Do we know how many servers currently default to form-encoded responses still? I'm still on the fence about adding this since it's not a requirement of OAuth 2.0, and is really only needed for backwards compatibility with older IndieAuth clients. I think I would still like to make a push to update servers to default to the JSON responses instead.
I am not sure. Back in 2017 there was a discussion on Selfauth because of Telegraph not supporting JSON. But Selfauth has always preferred serving JSON over form-urlencoded unless a server specifically asked for form-urlencoded. And that was 3 years ago...
Selfauth does not currently answer when no Accept header is provided, I think. In that case it will throw an HTTP 406 Not Acceptable. But that is not really IndieAuth spec specific and just Selfauth being overly strict.
We may be talking about 2017 and earlier clients and servers here.
More strictly define the requests we expect clients to send to the endpoints, outside of just the (generally treated as non-normative) examples. This adds:
Accept
header ofapplication/json
when redeeming the authorization code. This hopefully avoids new clients having problems with old authorization endpoints that could have answered with anapplication/x-www-form-urlencoded
response.Accept
header ofapplication/json
when verifying a Bearer Token at the token endpoint.As it ads language about the
Accept
header, it also clarifies the use of URL spec's application/x-www-form-urlencoded format and its matchingContent-Type
header to the redeem step.Fixes #18. (I think.)