fix: encode client_secret_basic - _ . ! ~ * ' ( ) characters

Because encodeURIComponent() encodes everything except alphanumericals
and `- _ . ! ~ * ' ( )` these need to be encoded explicitly similar to
how the resulting `%20' is replaced with '+'

This is as per RFC6749 Section 2.3.1 and Appendix B

src/index.ts

@@ -1031,7 +1031,24 @@ export interface PushedAuthorizationRequestOptions
  * using the same algorithm and used as the password.
  */
 function formUrlEncode(token: string) {
-  return encodeURIComponent(token).replace(/%20/g, '+')
+  return encodeURIComponent(token).replace(/(?:[-_.!~*'()]|%20)/g, (substring) => {
+    switch (substring) {
+      case '-':
+      case '_':
+      case '.':
+      case '!':
+      case '~':
+      case '*':
+      case "'":
+      case '(':
+      case ')':
+        return `%${substring.charCodeAt(0).toString(16).toUpperCase()}`
+      case '%20':
+        return '+'
+      default:
+        throw new Error()
+    }
+  })
 }
 
 /**

test/client_auth.test.ts

@@ -49,7 +49,8 @@ test('client_secret_basic (appendix b)', async (t) => {
         authorization(authorization) {
           const [, auth] = authorization.split(' ')
           for (const token of atob(auth).split(':')) {
-            t.is(decodeURIComponent(token), '+%&+£€')
+            t.false(/[^a-zA-Z0-9%+]/.test(token))
+            t.deepEqual(token, 'client+%25%26%2B%2D%5F%2E%21%7E%2A%27%28%29')
           }
           return true
         },
@@ -63,7 +64,7 @@ test('client_secret_basic (appendix b)', async (t) => {
 
   await lib.revocationRequest(
     { ...issuer, revocation_endpoint: endpoint('test-basic-encoding') },
-    { ...client, client_id: ' %&+£€', client_secret: ' %&+£€' },
+    { ...client, client_id: "client %&+-_.!~*'()", client_secret: "client %&+-_.!~*'()" },
     'token',
   )
   t.pass()