Specification Violation in basic authentication

The OAuth2 SDK is handling basic authentication erroneously.

The class ClientSecretBasic defines the following method:

   public String toHTTPAuthorizationHeader() {

        StringBuilder sb = new StringBuilder();

        try {
            sb.append(URLEncoder.encode(getClientID().getValue(), UTF8_CHARSET.name()));
            sb.append(':');
            sb.append(URLEncoder.encode(getClientSecret().getValue(), UTF8_CHARSET.name()));

        } catch (UnsupportedEncodingException e) {

            // UTF-8 should always be supported
        }

        return "Basic " + Base64.encode(sb.toString().getBytes(UTF8_CHARSET));
    }

You are URL encoding the clientId and the clientSecret which is not part of the specification! The specification says this (https://tools.ietf.org/html/rfc6749#section-2.3.1):

 The client identifier is encoded using the
   "application/x-www-form-urlencoded" encoding algorithm per
   Appendix B, and the encoded value is used as the username; the client
   password is encoded using the same algorithm and used as the
   password.

this has nothing to do with encoding the values with URL-encoding! "application/x-www-form-urlencoded" defines only that parameters are set in the following scheme:

${param1Name}=${param1Value}&${param2Name}=${param2Value}

the URL-encoding itself is for parameters sent within a URL and for nothing else.

So the spec definition of Oauth2 does only apply to cases where the parameters are sent within the POST body of the request and not within the "Authorization"-header.