[Openid-specs-ab] Why did we require POST support for authentication requests?

Mike Jones Michael.Jones at microsoft.com
Fri Apr 3 18:15:20 UTC 2015

Per http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest, POST support is mandatory for authentication requests in Connect.

Authorization Servers MUST support the use of the HTTP GET and POST methods defined in RFC 2616 (Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext Transfer Protocol -- HTTP/1.1," June 1999.)<http://openid.net/specs/openid-connect-core-1_0.html#RFC2616> [RFC2616] at the Authorization Endpoint. Clients MAY use the HTTP GET or POST methods to send the Authorization Request to the Authorization Server. If using the HTTP GET method, the request parameters are serialized using URI Query String Serialization, per Section 13.1 (Query String Serialization)<http://openid.net/specs/openid-connect-core-1_0.html#QuerySerialization>. If using the HTTP POST method, the request parameters are serialized using Form Serialization, per Section 13.2 (Form Serialization)<http://openid.net/specs/openid-connect-core-1_0.html#FormSerialization>.

Per https://tools.ietf.org/html/rfc6749#page-25, POST support is optional for authorization requests in OAuth 2.0.

      The authorization server MUST support the use of the HTTP "GET"

      method [RFC2616<https://tools.ietf.org/html/rfc2616>] for the authorization endpoint and MAY support the use of the "POST" method as well.

Does anyone remember why we went beyond the OAuth 2.0 requirements in this regard?

                                                            -- Mike

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20150403/68c804ae/attachment.html>

More information about the Openid-specs-ab mailing list