[Openid-specs-ab] Why did we require POST support for authentication requests?

Justin Richer jricher at mit.edu
Fri Apr 3 19:01:22 UTC 2015


If I recall correctly, it was a question of making it easier for clients by making the server be more liberal (and predictable) with its inputs. That, and some people really hate GET. I don’t have references for this though.

A GET at the authorization endpoint makes a ton more sense though, given that it’s generally going to be due to a redirection response to the browser from some other page/app.

 — Justin

> On Apr 3, 2015, at 2:15 PM, Mike Jones <Michael.Jones at microsoft.com> wrote:
> 
> Per http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest <http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest>, POST support is mandatory for authentication requests in Connect.
> 
> Authorization Servers MUST support the use of the HTTP GET and POST methods defined in RFC 2616 (Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., and T. Berners-Lee, “Hypertext Transfer Protocol -- HTTP/1.1,” June 1999.) <http://openid.net/specs/openid-connect-core-1_0.html#RFC2616> [RFC2616] at the Authorization Endpoint. Clients MAY use the HTTP GET or POST methods to send the Authorization Request to the Authorization Server. If using the HTTP GET method, the request parameters are serialized using URI Query String Serialization, per Section 13.1 (Query String Serialization) <http://openid.net/specs/openid-connect-core-1_0.html#QuerySerialization>. If using the HTTP POST method, the request parameters are serialized using Form Serialization, per Section 13.2 (Form Serialization) <http://openid.net/specs/openid-connect-core-1_0.html#FormSerialization>.
> 
> Per https://tools.ietf.org/html/rfc6749#page-25 <https://tools.ietf.org/html/rfc6749#page-25>, POST support is optional for authorization requests in OAuth 2.0.
>       The authorization server MUST support the use of the HTTP "GET"
>       method [RFC2616 <https://tools.ietf.org/html/rfc2616>] for the authorization endpoint and MAY support the use of the "POST" method as well.
> 
> Does anyone remember why we went beyond the OAuth 2.0 requirements in this regard?
> 
>                                                             -- Mike
> 
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20150403/e7a064d5/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20150403/e7a064d5/attachment.asc>


More information about the Openid-specs-ab mailing list