search

oauth-wg / oauth-v2-1

OAuth 2.1 is a consolidation of the core OAuth 2.0 specs
https://oauth.net/2.1/
Other
52 stars 27 forks source link

Character encoding for the application/x-www-form-urlencoded format #167

Open adeinega opened 10 months ago

adeinega commented 10 months ago

Section 3.2.2 Tokens states that

The client makes a request to the token endpoint by sending the following parameters using the application/x-www-form-urlencoded format per Appendix B with a character encoding of UTF-8 in the HTTP request content:

However, the following example does not include UTF-8 as character encoding

POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded

it should look like as

POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded; charset=UTF-8;

the same applies for all other similar examples in the spec.

How is this important? In some (rare) cases, it can lead to interoperability issues as app servers & frameworks that run an AS do not necessarily use "UTF-8" as a default encoding character, as an example, Java Servlets use "ISO-8859-1". So, it is better for a client to always specify the character explicitly.

aaronpk commented 6 days ago

From what I can tell, the application/x-www-form-urlencoded content type implies UTF-8 encoding, so it is not needed to include the charset.

https://url.spec.whatwg.org/#application/x-www-form-urlencoded

https://url.spec.whatwg.org/#application/x-www-form-urlencoded