Hi All, I've just encountered a server that performs a redirect (back to the client's redirect_uri) via POST instead of GET. This was surprising behavior to me and broke my client implementation — but citing chapter and verse, the server developer pointed out that https://tools.ietf.org/html/rfc6749#section-1.7 says
While the examples in this specification show the use of the HTTP 302 > status code, any other method available via the user-agent to accomplish > this redirection is allowed and is considered to be an implementation > detail. Is triggering a POST-based redirect (e.g. with this technique <https://gist.github.com/jmandel/4704d1efed8578a67a6f9b600ffd0c63)>) to the redirect_url (including url query parameters for state and code) indeed considered a "method available via the user-agent to accomplish this redirection"? In other words, should a well-behaved OAuth client be prepared to receive GETs as well as POSTs to its redirect_uri? If so, what would be the considerations for a server choosing between GET and POST? Best, Josh
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
