[Openid-specs-ab] Why did we require POST support for authentication requests?
ve7jtb at ve7jtb.com
Fri Apr 3 19:11:26 UTC 2015
Our requests may be larger than OAuth only requests due to the extra parameters.
It is also possible that some of them may be sensitive such as the id_token hint that is better in a body than a query parameter.
For interoperability having the servers support both made it simpler for clients.
Sent from my iPhone
> On Apr 3, 2015, at 3:15 PM, Mike Jones <Michael.Jones at microsoft.com> wrote:
> Per http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest, POST support is mandatory for authentication requests in Connect.
> Authorization Servers MUST support the use of the HTTP GET and POST methods defined in RFC 2616 (Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., and T. Berners-Lee, “Hypertext Transfer Protocol -- HTTP/1.1,” June 1999.) [RFC2616] at the Authorization Endpoint. Clients MAY use the HTTP GET or POST methods to send the Authorization Request to the Authorization Server. If using the HTTP GET method, the request parameters are serialized using URI Query String Serialization, per Section 13.1 (Query String Serialization). If using the HTTP POST method, the request parameters are serialized using Form Serialization, per Section 13.2 (Form Serialization).
> Per https://tools.ietf.org/html/rfc6749#page-25, POST support is optional for authorization requests in OAuth 2.0.
> The authorization server MUST support the use of the HTTP "GET"
> method [RFC2616] for the authorization endpoint and MAY support the use of the "POST" method as well.
> Does anyone remember why we went beyond the OAuth 2.0 requirements in this regard?
> -- Mike
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-ab