The certification team have found an implementation that’s not compliant with RFC6749 text, in particular from https://tools.ietf.org/html/rfc6749#section-188.8.131.52 :
error_description OPTIONAL. Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred. Values for the "error_description" parameter MUST NOT include characters outside the set %x20-21 / %x23-5B / %x5D-7E.
It’s been suggested that the certification tests should treat CR, LF, or TAB characters as only a warning, and not a failure, and hence implementations that include CR/LF/TAB in error_description would be allowed to certify.
The python certification tests do not test this clause, but the FAPI tests do, and so do the in-development java openid connect certification tests.
Input from the working group as to the direction here would be appreciated. I guess one of the questions is whether there are any potential security or interoperability concerns from allowing a wider range of characters than OAuth2 permits.