/login/oauth/access_token should return JSON, not Form URL Encoded

[davedelong]

Select Topic Area

Bug

Body

RFC 6749 § 5.1 says:

The authorization server issues an access token and optional refresh token, and constructs the response by adding the following parameters to the entity-body of the HTTP response with a 200 (OK) status code: …

The parameters are included in the entity-body of the HTTP response using the "application/json" media type as defined by [RFC4627]. The parameters are serialized into a JavaScript Object Notation (JSON) structure by adding each parameter at the highest structure level.

However, GitHub's implementation is non-compliant, because it returns values in application/x-www-form-urlencoded format. This makes it impossible to use standards-compliant OAuth libraries to access the GitHub API (such as the "AppAuth-iOS" library), because even the option of adding a custom Accept: header is out of spec for OAuth 2. Requests to add support to libraries are repeatedly denied. The official recommendation from these library providers is to fork their repository and make modifications to it.

GitHub should change their OAuth implementation to return application/json content.

[ghostinhershell]

Hi @davedelong,

We’ve clarified our stance on using generative AI tools like ChatGPT within our Community via this announcement. Please review the guidelines to ensure your post meets them as failure to adhere to those rules can result in action taken by our moderator team.  You can read our updated Code of Conduct and the announcement for more details. Thank you for helping us maintain an authentic and beneficial space for everyone.

[davedelong]

@ghostinhershell This reply is not mine; that's why I reported it as spam.