You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
prompt: In `handleTokenRequest()`, the request is allowed to be JSON or FormData. Does the OAuth spec actually specify both of these as options?
Claude "researched" the topic (including attempting to curl the current OAuth 2.1 draft, but apparently curl is blocked by the Claude Code tool "for security reasons"), then said:
```
Based on my research, the current implementation in handleTokenRequest() accepts both JSON and form-urlencoded formats for token requests,
but this doesn't comply with the OAuth specifications:
1. RFC 6749 (OAuth 2.0) Section 2.3 specifically states:
The client MUST use the "application/x-www-form-urlencoded" format as defined by W3C.HTML 4.01 Specification with a character encoding of
UTF-8 in the HTTP request entity-body.
2. The OAuth 2.1 draft maintains this requirement.
To strictly follow the OAuth specs, the implementation should only accept application/x-www-form-urlencoded content type for token
requests and should return an error for other content types.
Would you like me to modify the code to make it strictly compliant with the OAuth specification?
```
prompt: Yes
0 commit comments