RFC 6749, "The OAuth 2.0 Authorization Framework", October 2012Source of RFC: oauth (sec)
Errata ID: 6017
Publication Format(s) : TEXT
Reported By: Michael Osipov
Date Reported: 2020-03-15
Section 2.3.1 says:
Clients in possession of a client password MAY use the HTTP Basic authentication scheme as defined in [RFC2617] to authenticate with the authorization server. The client identifier is encoded using the "application/x-www-form-urlencoded" encoding algorithm per Appendix B, and the encoded value is used as the username; the client password is encoded using the same algorithm and used as the password.
It should say:
Clients in possession of a client password MAY use the HTTP Basic authentication scheme as defined in [RFC7617] to authenticate with the authorization server.
RFC 2617 has been superseded by RFC7617 which clearly defines in section 2.1 how a charset can be provided to solve the usecase described with encoding.
The original text of this RFC violates the approach described for Basic authentication.