Require Accept headers in requests. #70
Conversation
|
Do we know how many servers currently default to form-encoded responses still? I'm still on the fence about adding this since it's not a requirement of OAuth 2.0, and is really only needed for backwards compatibility with older IndieAuth clients. I think I would still like to make a push to update servers to default to the JSON responses instead. |
|
I am not sure. Back in 2017 there was a discussion on Selfauth because of Telegraph not supporting JSON. But Selfauth has always preferred serving JSON over form-urlencoded unless a server specifically asked for form-urlencoded. And that was 3 years ago... Selfauth does not currently answer when no Accept header is provided, I think. In that case it will throw an HTTP 406 Not Acceptable. But that is not really IndieAuth spec specific and just Selfauth being overly strict. We may be talking about 2017 and earlier clients and servers here. |
More strictly define the requests we expect clients to send to the endpoints, outside of just the (generally treated as non-normative) examples. This adds:
Acceptheader ofapplication/jsonwhen redeeming the authorization code. This hopefully avoids new clients having problems with old authorization endpoints that could have answered with anapplication/x-www-form-urlencodedresponse.Acceptheader ofapplication/jsonwhen verifying a Bearer Token at the token endpoint.As it ads language about the
Acceptheader, it also clarifies the use of URL spec's application/x-www-form-urlencoded format and its matchingContent-Typeheader to the redeem step.Fixes #18. (I think.)