-
assigned issue to
Core - Explicitly Ban 307 as the authorization response redirect
Issue #996
resolved
It is something that should be dealt within RFC6749 but we may as well note it.
Comments (4)
-
-
A 307 is okay as long as it doesn't immediately follow something like the POSTing of credentials to the AS/OP. Not sure, but the note might be better positioned as considerations around when not to use a 307 vs. an outright ban.
-
https://sec.uni-stuttgart.de/_media/publications/FettKuestersSchmitz-TR-OAuth-2016.pdf Section 3.1 describes the problems with 307 redirects and recommends 303 redirects, since while 302s typically drop post bodies, that's due to common implementations rather than the actual specification of the 302 behavior.
-
- changed status to resolved
Fixed
#996- Explicitly Ban 307 as the authorization response redirect→ <<cset 3a71671479a2>>
- Log in to comment
We can write a note about this. Mike will create proposed text.