openid / connect / issues / #996 - Core - Explicitly Ban 307 as the authorization response redirect — Bitbucket

Issue #996 resolved

Nat Sakimura created an issue 2016-07-11

It is something that should be dealt within RFC6749 but we may as well note it.

Comments (4)

Michael Jones
- assigned issue to
  
  Michael Jones
We can write a note about this. Mike will create proposed text.
- 2016-07-25T22:39:09+00:00
Brian Campbell
A 307 is okay as long as it doesn't immediately follow something like the POSTing of credentials to the AS/OP. Not sure, but the note might be better positioned as considerations around when not to use a 307 vs. an outright ban.
- 2016-07-26T12:12:44+00:00
Michael Jones
https://sec.uni-stuttgart.de/_media/publications/FettKuestersSchmitz-TR-OAuth-2016.pdf Section 3.1 describes the problems with 307 redirects and recommends 303 redirects, since while 302s typically drop post bodies, that's due to common implementations rather than the actual specification of the 302 behavior.
- 2019-01-24T01:28:24+00:00
Michael Jones
- changed status to resolved
Fixed ~~#996~~ - Explicitly Ban 307 as the authorization response redirect

→ <<cset 3a71671479a2>>
- 2019-01-24T02:02:04+00:00
Log in to comment

Assignee: Michael Jones

Type: bug

Priority: major

Status: resolved

Component: Core

Milestone: Errata

Version: –

Votes: 0

Watchers: 0

Jira Software: the preferred issue tracker for Bitbucket. Join the team!