[Openid-specs-ab] Authz methods
ve7jtb at ve7jtb.com
Sun Feb 5 22:59:04 UTC 2012
Endpoints should support both GET and POST unless the spec specifically restricts itself to one or the other.
If using GET it is STRONGLY recommended that tokens not be passes in query parameters.
So GET effectively requires Authentication header support.
Some simple clients may not have access to modify headers, requiring POST.
On 2012-02-05, at 7:14 PM, Mike Jones wrote:
> You're right that the Bearer spec doesn't say what method to use because HTTPbis doesn't either. I expect that people will normally use GET however. Is there a reason you believe that clients may want to use POST?
> Unless there's an advantage to using POST over GET, given we're trying to test "normal cases" for this round of interop, I don't see a strong motivation to test using POST. But I'm adding the working group to my reply in case anyone else would like to weigh in.
> Thanks again,
> -- Mike
> -----Original Message-----
> From: Roland Hedberg [mailto:roland at catalogix.se]
> Sent: Saturday, February 04, 2012 1:41 PM
> To: Mike Jones
> Subject: Authz methods
> Hi Mike,
> Just to check my understanding.
> draft-ietf-oauth-v2-bearer-15 isn't explicit on this.
> When you're using the "Authorization" header field it doesn't specify whether GET or POST is used.
> The example is GET but nowhere in the text is says it has to be GET.
> Form-encoded body part on the other hand is always POST.
> So in you test matrix shouldn't we have:
> UserInfo Endpoint Access with Header Method (GET) UserInfo Endpoint Access with Header Method (POST) UserInfo Endpoint Access with Form-Encoded Body Method
> and likewise for Check ID ?
> -- Roland
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4767 bytes
Desc: not available
More information about the Openid-specs-ab