Default to application/x-www-form-urlencoded on verification

[Zegnat]

I ran into this when testing against Telegraph. It sends an Accept header with */* but does not accept the JSON response (it seems).

Should we just default to application/x-www-form-urlencoded on the auth code verification step unless the Accept header specifies application/json?

[sknebel]

if it claims to accept */* that sounds like a bug in Telegraph, and and if I remember right I've seen other implementations that default to JSON (could be confusing it with token endpoints though). We should support both, but I'm not sure the default matters. /cc @aaronpk

[aaronpk]

Yeah sounds like Telegraph needs to send a better Accept header. Feel free to file an issue there and reference this one.

[Zegnat]

Is there a preferred default though, @aaronpk? For those that do Accept: */*, or include neither application/x-www-form-urlencoded nor application/json?

Although in the case of the latter, we should probably just error with 406 Not Acceptable.

[Zegnat]

indieauth/client supports JSON responses since version 0.2.0. Versions before that relied on application/x-www-form-urlencoded, which leads to problems in e.g. Telegraph.

That might be a reason for us to default to form encoding and only send JSON when requested.

[Zegnat]

Going to close this issue. As per indieweb/indieauth#18 (comment) the specification is more than likely to stop allowing form encoded responses completely.