RFC Errata
RFC 6749, "The OAuth 2.0 Authorization Framework", October 2012
Note: This RFC has been updated by RFC 8252, RFC 8996
Source of RFC: oauth (sec)
Errata ID: 5793
Status: Reported
Type: Technical
Publication Format(s) : TEXT
Reported By: Martin May
Date Reported: 2019-07-25
Section 2.3.1 says:
Alternatively, the authorization server MAY support including the client credentials in the request-body using the following parameters:
It should say:
In addition to that, the authorization server MAY support including the client credentials in the request-body using the following parameters:
Notes:
Given that the authorization MUST support the HTTP Basic authentication scheme in the paragraphs just before this one, using the word "alternatively" here can be understood as "instead of", which is not the intention and can lead to confusion for implementors.
This intention is further highlighted by the use of the word MAY in the paragraph above.