According to RFC6749 2.3.1, the client id and secret should be URL-encoded. However, this results in an "invalid_client" response from OpenAM when the client id and/or secret contain URL-encoded characters.
The SaaS team encountered this error when the client lib we're using was updated to URL-encode:
- Create an oauth client with a secret that contains an equals sign ( = ).
- Create the authorization header by url-encoding the id and secret (e.g. "=" becomes "%3D"), concatenating with a colon ( : ), and then base64-encoding the resulting string.
- Use the encoded credentials to request an access token.