Authorization Endpoint HTTP POST binding

[panva]

2.1 added a lot of text around how clients form authorization requests, the language does not however account for the optional POST binding at the authorization endpoint.

The authorization server MUST support the use of the HTTP GET method Section 9.3.1 of [RFC9110] for the authorization endpoint and MAY support the POST method (Section 9.3.3 of [RFC9110]) as well.

Sections 3.1. Authorization Endpoint and 4.1.1. Authorization Request do not account for the optional POST binding which uses the request body to carry the application/x-www-form-urlencoded encoded parameters.

In OIDC there's explicit text around the request parameters.

Authorization Servers MUST support the use of the HTTP GET and POST methods defined in RFC 7231 [RFC7231] at the Authorization Endpoint. Clients MAY use the HTTP GET or POST methods to send the Authorization Request to the Authorization Server. If using the HTTP GET method, the request parameters are serialized using URI Query String Serialization, per Section 13.1. If using the HTTP POST method, the request parameters are serialized using Form Serialization, per Section 13.2.

[aaronpk]

This has been resolved in #190, there is now a section that describes the serialization methods in an appendix, which is referenced elsewhere in the spec: https://drafts.oauth.net/oauth-v2-1/draft-ietf-oauth-v2-1.html#name-serializations