-
assigned issue to
- changed status to open
Basic 4.1 - HTTPS POST + access_token in Authorization header can be used.
This minor thing may have been discussed on ML.
[[http://openid.bitbucket.org/openid-connect-basic-1_0.html#anchor11|From October 30, 2011 Draft 15 of Basic]], we can request UserInfo via HTTPS POST + access_token in Authorization header( only distorted nerd will do that ), but can't request via HTTP POST + access_token in form parameter.
We should keep it ambiguous for OP developers or not ?
Comments (4)
-
-
- marked as major
-
reporter URL query parameter ( ?access_token= ) is not welcome ?
"4.2.1. Error Response" may provide error codes for unacceptable combination of HTTP method and token variable.
Anyway, OAuth Section7(v2-22) doesn't defined the detail:
"...
The methods used by the resource server to validate the access token (as well as any error responses) are beyond the scope of this specification, but generally involve an interaction or coordination between the resource server and the authorization server.
The method in which the client utilized the access token to authenticate with the resource server depends on the type of access token issued by the authorization server. Typically, it involves using the HTTP "Authorization" request header field [RFC2617] with an authentication scheme defined by the access token type specification."
Also JSON Web Token (JWT) Bearer Token Profiles for OAuth 2.0(01) doesn't specify type of HTTP method and request parameter when tokens are used to access resources.
-
- changed status to resolved
Fix
#279Basic 4.1 - HTTPS POST + access_token in Authorization header can be used. - Log in to comment
Current text:
access_token REQUIRED. The access_token obtained from an OpenID Connect Authorization Request. This parameter MUST only be sent using one method through either HTTP Authorization header or query string.
Suggested text as:
access_token REQUIRED. The access_token obtained from an OpenID Connect Authorization Request. This parameter MUST only be sent using one method through either HTTP Authorization header or HTTP POST parameter.