This has nothing to do with it. There is no PUT and DELETE or POST with non-form body when *requesting a token*.
We need to do a better job not to confuse accessing protected resources with the flow calls. They are completely different. EHL On 4/16/10 7:02 PM, "James Manger" <[email protected]> wrote: >> In either case, we should not restrict the access token URL to POST-only. >> A GET request is just as secure and can be much easier to write code for > If you are using GET, then refresh tokens and client secrets will end > up side by side in web server log files. These are exactly the sort of reasons why client authentication should be any "normal" auth scheme, and not an OAuth-special client_secret POST parameter. That fails for PUT, DELETE, and POST with a non-form body; and the security changes with GET. -- James Manger _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
