The format of the SASL/OAUTHBEARER client response is defined in RFC 7628 Section 3.1 as follows:
;;gs2-header = See RFC 5801 (Section 4)
The SASL/OAUTHBEARER client response as currently implemented in OAuthBearerSaslClient sends the valid gs2-header "n,," but then sends the "auth" key and value immediately after it, like this:
This does not conform to the specification because there is no %x01 after the gs2-header, no %x01 after the auth value, and no terminating %x01. The code should instead be as follows:
Similarly, the parsing of the client response in OAuthBearerSaslServer, which currently allows the malformed text, must also change.
This should be fixed prior to the initial release of the SASL/OAUTHBEARER code in 2.0.0 to prevent compatibility problems.