Re: [OAUTH-WG] Redirection in authorization code flow: GET vs POST

John Bradley <> Fri, 11 August 2017 20:19 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E31DC132031 for <>; Fri, 11 Aug 2017 13:19:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 3Cytn6e4iWK7 for <>; Fri, 11 Aug 2017 13:19:03 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400d:c09::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 30141131E75 for <>; Fri, 11 Aug 2017 13:19:03 -0700 (PDT)
Received: by with SMTP id u139so26313637qka.1 for <>; Fri, 11 Aug 2017 13:19:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=q4BhoEU36nFpPF11KJATGH2pvq/a9jF2c/pWHZGU7iI=; b=akoFA3I9gfQ0l8LqDTT7WkuRuR+sCebz59KM9UjJCEf1AJxGtAf9/uApUVKx/peuVj QxRpNcvawAcVE22ElPrKyZ1Y4EzWCr1ykQ3CUD3huJhKiLqnVJXj1WrCEfyerObnSUFY hp39C6Mz+2BQ6ND7JLrtC6jTrPA2mHaA57jSI0MCB6JuUTGUXogzRd9BFZ9U5ZK5FYcJ g1TqlgJWh+vApViDj5NE7axJuzP7P0P0JDTP7vuMH0GSQ+RR2vtKlYS+n3CnjyZHPoQt R8LOXnX81nX5MqjSNwND8OcV3hIuesQ57p8XoQLfMuZFkUTeve24uunDiUkcAKVr1Zfg ZVSw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=q4BhoEU36nFpPF11KJATGH2pvq/a9jF2c/pWHZGU7iI=; b=Q+5G4uB+0V64t6CngRqJE0pNoZeXjeYRr3M4ak7aWzxS9NIPsjYAzujuvIOgR2IDik 8AuRJbESHhoP2fQjL9GuHPq9VBPU4FMvlOhI3g2Ijb5uxNxfd6qlH1m12OQkQdxZFP3O k07aLnxQZbAmCy6o6jzNamWh2GLepCvEjS7ZldDuJFtsywbPakoo44GSQ7+jMmrXxZ9r QCjwh1hPDgpYeAVF6i5FZE6kO5Ow7YgmUVkuh6em8E32QVruZwvgobDReIkRBqmVXQbR ei245qHQ9u7JYMPbgPbHqtVz5DEyslO5aRMMUbg1RuFEwLoVnl4NujSrR8LiA1LxpnwN dQvg==
X-Gm-Message-State: AHYfb5hWtBM6zlfCzqVH3TTrPfwUv5GDBMpvGU6jnHg8n5L11ppW1Itz wLuPnvbUI64z4LK8
X-Received: by with SMTP id l2mr14713280qki.3.1502482742021; Fri, 11 Aug 2017 13:19:02 -0700 (PDT)
Received: from [] ([]) by with ESMTPSA id y9sm1138821qkg.36.2017. (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 11 Aug 2017 13:19:00 -0700 (PDT)
From: John Bradley <>
Message-Id: <>
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Date: Fri, 11 Aug 2017 16:18:49 -0400
In-Reply-To: <>
Cc: " WG" <>
To: Josh Mandel <>
References: <> <>
X-Mailer: Apple Mail (2.3273)
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="001a11499ecc2669cb05568006c8"
Archived-At: <>
Subject: Re: [OAUTH-WG] Redirection in authorization code flow: GET vs POST
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 11 Aug 2017 20:19:06 -0000

OpenID Connect formally defined a POST response mode. <>

The OAuth 2 spec docent preclude it.  

The safest thing for a client is to accept both.  
The main advantages of POST is that it docent leak in the referrer, and can handle larger responses without the browser choking in some cases.

Size is more of an issue in Connect where a id_token may be returned in the front channel and POST allows for the larger response without the client needing to have JS extract the fragment.

That is why Connect defined it and OAuth largely assumes that for code get is OK.
For security GET responses should add headers to prevent referrer from leaking the code.

We are adding advice on that to the Security document that is being updated now.

John B.

> On Aug 11, 2017, at 4:08 PM, Josh Mandel <> wrote:
> Fixing my "with this technique" url: it should have been <> .
> On Fri, Aug 11, 2017 at 4:00 PM, Josh Mandel < <>> wrote:
> Hi All,
> I've just encountered a server that performs a redirect (back to the client's redirect_uri) via POST instead of GET. This was surprising behavior to me and broke my client implementation — but citing chapter and verse, the server developer pointed out that <> says 
> While the examples in this specification show the use of the HTTP 302 status code, any other method available via the user-agent to accomplish this redirection is allowed and is considered to be an implementation detail.
> Is triggering a POST-based redirect (e.g. with this technique <>) to the redirect_url (including url query parameters for state and code) indeed considered a "method available via the user-agent to accomplish this redirection"? In other words, should a well-behaved OAuth client be prepared to receive GETs as well as POSTs to its redirect_uri? If so, what would be the considerations for a server choosing between GET and POST?
> Best,
>   Josh
> _______________________________________________
> OAuth mailing list