On Fri, Apr 16, 2010 at 9:58 AM, Luke Shepard <lshep...@facebook.com> wrote: > I guess I would prefer two URLs as well, but I see the simplicity argument as > well: > >>> Constraints for endpoints: >>> access token URL: HTTPS and POST only, no user >>> user authentication URL: HTTP or HTTPS, GET or POST, authenticated user > > In either case, we should not restrict the access token URL to POST-only. A > GET request is just as secure and can be much easier to write code for (just > construct the URL and ping, no need to figure out CURLOPT_POSTFIELDS).
If you are using GET, then refresh tokens and client secrets will end up side by side in web server log files. Marius _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
