>> In either case, we should not restrict the access token URL to POST-only. >> A GET request is just as secure and can be much easier to write code for
> If you are using GET, then refresh tokens and client secrets will end > up side by side in web server log files. These are exactly the sort of reasons why client authentication should be any "normal" auth scheme, and not an OAuth-special client_secret POST parameter. That fails for PUT, DELETE, and POST with a non-form body; and the security changes with GET. -- James Manger _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
