-
assigned issue to
Nat Sakimura
- changed status to open
Standard 3 - Requiring use of POST at Token Endpoint
Issue #353
invalid
The spec says "Clients MUST use the HTTP "POST" method to make requests to the Token Endpoint." Yaron Goland asks "I thought we wanted to support clients that can’t issue POSTs?" He wrote that, I believe, since it appeared to him that the reason for the Request File method is to support clients that can't do POSTs. This seems like a contradiction to him.
Is it a contradiction?
Comments (2)
-
-
- changed status to invalid
One must not conflate the client and the user-agent.
The feature phone browsers are user-agent and not client. These user-agents are in many case cannot do POST realistically.
However, the client in this case is the web server. Therefore, the client making POST request is perfectly fine.
In this case, the client makes a redirect request to the UA, which will make a GET request to the Authorization EP. Upon the grant, the code gets back with redirect (thus GET) and the Client (Web Server) upon receipt of the code, makes a POST query to the Token EP.
- Log in to comment
