I have an app which is OAuth2.0 and RFC 6749 compliant.
I need to extend the behaviour now such that a new RP will invoke my /auth endpoint and it is expecting a response containing my auth_ref, hence I thought instead of the default application/x-www-form-urlencoded format, I should use application/json in the request. This is for 2 reasons:
Q1. Is this spec compliant? According to my understanding of the RFC
Q2. an alternative I am considering is to just expose a different endpoint /authz
Q3. Also considering the possibility of adding a new param to the request on the same /auth endpoint. Will this also become non compliant with the spec? or will it be treated as an extension to the spec? Any implications if I extend it?
Thanks in advance.
If your /auth is an authorization endpoint which is defined in RFC 6749, it is a spec violation to use application/json as Content-Type of requests.
On the other hand, it is allowed to include additional parameters in responses. The following is an excerpt from RFC 6749. You can see example_parameter in the response JSON.
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
"access_token":"2YotnFZFEjr1zCsicMWpAA",
"token_type":"example",
"expires_in":3600,
"refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA",
"example_parameter":"example_value"
}
Like the above, you can include auth_req in responses. It is compliant with RFC 6749.
An authorization endpoint accepts application/x-www-form-urlencoded and responds with 302 Found and Location header. A token endpoint accepts application/x-www-form-urlencoded and responds with 200 OK and application/json. See "Diagrams And Movies Of All The OAuth 2.0 Flows" for details.