Fixing my "with this technique" url: it should have been https://gist.github.com/jmandel/4704d1efed8578a67a6f9b600ffd0c63 .
On Fri, Aug 11, 2017 at 4:00 PM, Josh Mandel <jman...@gmail.com> wrote: > Hi All, > > I've just encountered a server that performs a redirect (back to the > client's redirect_uri) via POST instead of GET. This was surprising > behavior to me and broke my client implementation — but citing chapter and > verse, the server developer pointed out that https://tools.ietf.org/ > html/rfc6749#section-1.7 says > > While the examples in this specification show the use of the HTTP 302 >> status code, any other method available via the user-agent to accomplish >> this redirection is allowed and is considered to be an implementation >> detail. > > > Is triggering a POST-based redirect (e.g. with this technique > <https://gist.github.com/jmandel/4704d1efed8578a67a6f9b600ffd0c63)>) to > the redirect_url (including url query parameters for state and code) indeed > considered a "method available via the user-agent to accomplish this > redirection"? In other words, should a well-behaved OAuth client be > prepared to receive GETs as well as POSTs to its redirect_uri? If so, what > would be the considerations for a server choosing between GET and POST? > > Best, > > Josh >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth