Oh sorry, I meant in the authorization header. Do you think openid-client’s author is wrong about the rfc specification?