Basic 4.1 - HTTPS POST + access_token in Authorization header can be used.

Comments (4)

1. 

   Nat Sakimura

   • assigned issue to
     
     Michael Jones
   • changed status to open

   Current text:

   access_token REQUIRED. The access_token obtained from an OpenID Connect Authorization Request. This parameter MUST only be sent using one method through either HTTP Authorization header or query string.

   Suggested text as:

   access_token REQUIRED. The access_token obtained from an OpenID Connect Authorization Request. This parameter MUST only be sent using one method through either HTTP Authorization header or HTTP POST parameter.

   • 2011-11-07T23:56:17+00:00
2. 

   Nat Sakimura

   • marked as major

   • 2011-11-07T23:56:38+00:00
3. 

   hideki nara reporter

   URL query parameter ( ?access_token= ) is not welcome ?

   "4.2.1. Error Response" may provide error codes for unacceptable combination of HTTP method and token variable.

   Anyway, OAuth Section7(v2-22) doesn't defined the detail:

   "...

   The methods used by the resource server to validate the access token (as well as any error responses) are beyond the scope of this specification, but generally involve an interaction or coordination between the resource server and the authorization server.

   The method in which the client utilized the access token to authenticate with the resource server depends on the type of access token issued by the authorization server. Typically, it involves using the HTTP "Authorization" request header field [RFC2617] with an authentication scheme defined by the access token type specification."

   Also JSON Web Token (JWT) Bearer Token Profiles for OAuth 2.0(01) doesn't specify type of HTTP method and request parameter when tokens are used to access resources.

   • 2011-11-09T05:32:47+00:00
4. 

   Michael Jones

   • changed status to resolved

   Fix #279 Basic 4.1 - HTTPS POST + access_token in Authorization header can be used.

   → eea105d233e4

   • 2011-11-09T19:09:02+00:00
5. Log in to comment