Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Should clients get OAuth 2 access tokens using GET or POST?

The OAuth 2.0 draft v2-22 Section 3.2 says:

The client MUST use the HTTP "POST" method when making access token requests.

However, if you look at the Facebook and Foursquare OAuth2 implementations, they ask the clients to make a simple GET request for requesting an access token. They ask the clients to place the client_id and client_secret in the URL.

I am building an OAuth 2 server and after seeing Facebook's and Foursquare's implementations, I am strongly considering also breaking the protocol to allow clients to request the access token via GET. My site's communication is using SSL, similar to Facebook and Foursquare.

So my question is this: Are there any good reasons why I shouldn't allow clients to request access tokens via the GET method over HTTPS?

like image 326
Spike Avatar asked Nov 25 '11 22:11

Spike


People also ask

Does OAuth use POST or GET?

The OAuth 2.0 draft v2-22 Section 3.2 says: The client MUST use the HTTP "POST" method when making access token requests. However, if you look at the Facebook and Foursquare OAuth2 implementations, they ask the clients to make a simple GET request for requesting an access token.

Is refresh token get or post?

When the access token expires, the application can send the refresh token POST request to the token endpoint to get a new access token. where <accountID> represents your NetSuite account ID.

Which of the following is preferred way to authenticate a user when using OAuth2 protocol?

A standard for user authentication using OAuth: OpenID Connect. OpenID Connect is an open standard published in early 2014 that defines an interoperable way to use OAuth 2.0 to perform user authentication.


1 Answers

The most common argument is that you should not put sensitive information in a query string (GET parameter) as Web servers typically log the HTTP request URL. POST data can be arbitrarily long, so is not usually logged. Therefore when you're dealing with something like client_secret or code (although it's one time use), it makes sense to have that passed in the POST payload.

IMHO, if you're using an OAuth 2.0 flow that doesn't require client_secret's (or you put that in the HTTP Authorization header, as recommended) - I don't see an issue with allowing GET.

like image 100
Scott T. Avatar answered Oct 05 '22 06:10

Scott T.