OAuth logoOAuth Core draft -28 has been published. Changes were:

  • Updated the ABNF in the manner discussed by the working group, allowing username and password to be Unicode and restricting client_id and client_secret to ASCII.
  • Specifies the use of the application/x-www-form-urlencoded content-type encoding method to encode the client_id when used as the password for HTTP Basic.

OAuth Bearer draft -21 has also been published. Changes were:

  • Changed “NOT RECOMMENDED” to “not recommended” in caveat about the URI Query Parameter method.
  • Changed “other specifications may extend this specification for use with other transport protocols” to “other specifications may extend this specification for use with other protocols”.
  • Changed Acknowledgements to use only ASCII characters, per the RFC style guide.

The drafts are available at:

HTML-formatted versions are available at:

Thanks to Eran Hammer for approving the Core draft posting.