From what I recall, the intent was to use form parameters in the http
entity body, in order to prevent query param leaking into logs (or
something like that). But I don't think there was intended to be a
prohibition on query parameters on POST. Since the auth endpoint is
almost exclusively accessed via a 302-style redirect, GET is obviously
far more useful in most cases.
As a data point, our implementation (based on Spring Security OAuth)
will take things in either the query parameters or the body to either a
GET or POST to the auth endpoint, but this is more of a side effect of
the Spring framework than anything. However, most webapp frameworks
(that I've used) go to great pains to abstract the method by which
parameters get passed in, unless you take the effort to lock things down
specifically yourself as the developer.
-- Justin
On 08/15/2013 09:20 PM, Mike Jones wrote:
http://tools.ietf.org/html/rfc6749#section-3.1 says:
The authorization server MUST support the use of the HTTP "GET"
method [RFC2616 <http://tools.ietf.org/html/rfc2616>] for the
authorization endpoint and MAY support the
use of the "POST" method as well.
Unfortunately, it's missing any details (that I can find, anyway) on
how to pass the parameters in if POST is used. If you follow the
examples of how "POST" is used at the token endpoint, they would be
passed in the message body, per the example at
http://tools.ietf.org/html/rfc6749#section-4.1.3
<http://tools.ietf.org/html/rfc6749#section-4.1.3>. However, it seems
like it's also possible for them to be passed as query parameters in
the same manner as when using "GET".
Can anyone determine the intent of the spec on how to pass input
parameters when using POST to the Authorization Endpoint?
Thanks,
-- Mike
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
