Incorrect OAuth endpoint behavior per RFC 6749 §2.3.1

Epic’s OAuth token endpoint (https://api.epicgames.dev/epic/oauth/v2/token) rejects client credentials that are application/x-www-form-urlencoded-encoded in the HTTP Basic Authorization header, as required by RFC 6749 §2.3.1. A secret containing characters like + or / works when sent raw (e.g. curl -u id:secret) but fails with invalid_client_credentials (numericErrorCode 18033) when the client percent-encodes it per spec. Standard OAuth libraries (e.g. Go’s The Go Programming Language ) encode by default, so Epic is effectively non-compliant with the Basic-auth credential-encoding requirement.

Supabase Issue with details: Custom OIDC: token exchange url-encodes client secret (RFC 6749 §2.3.1), breaking providers that expect a raw secret (Epic); real error masked by auto-detect fallback · Issue #2623 · supabase/auth · GitHub