[Openid-specs-ab] Authz methods
Michael.Jones at microsoft.com
Sun Feb 5 22:14:40 UTC 2012
You're right that the Bearer spec doesn't say what method to use because HTTPbis doesn't either. I expect that people will normally use GET however. Is there a reason you believe that clients may want to use POST?
Unless there's an advantage to using POST over GET, given we're trying to test "normal cases" for this round of interop, I don't see a strong motivation to test using POST. But I'm adding the working group to my reply in case anyone else would like to weigh in.
From: Roland Hedberg [mailto:roland at catalogix.se]
Sent: Saturday, February 04, 2012 1:41 PM
To: Mike Jones
Subject: Authz methods
Just to check my understanding.
draft-ietf-oauth-v2-bearer-15 isn't explicit on this.
When you're using the "Authorization" header field it doesn't specify whether GET or POST is used.
The example is GET but nowhere in the text is says it has to be GET.
Form-encoded body part on the other hand is always POST.
So in you test matrix shouldn't we have:
UserInfo Endpoint Access with Header Method (GET) UserInfo Endpoint Access with Header Method (POST) UserInfo Endpoint Access with Form-Encoded Body Method
and likewise for Check ID ?
More information about the Openid-specs-ab