On Tue, Apr 30, 2019 at 5:03 AM Torsten Lodderstedt <tors...@lodderstedt.net> wrote:
> > > > On 26. Apr 2019, at 19:57, Brian Campbell <bcampb...@pingidentity.com> > wrote: > > > > One thing that I think is missing from the article in the discussion of > pros and cons is that in many cases a large or even voluminous request can > be sent via auto submitting form post (like > https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html but > the other way around from client to AS with the auth request), which > doesn't then run into the same URI size problem. > > Thanks for pointing this out! Is the response mode often used in the wild > for OAuth? > It's not really a "response mode" for sending the request but the idea is basically the same just going the other direction. The possibility is implied by the text near the end of https://tools.ietf.org/html/rfc6749?#section-3.1 that says, 'The authorization server MUST support the use of the HTTP "GET" method [RFC2616] for the authorization endpoint and MAY support the use of the "POST" method as well.' I know our AS will happily accept POST at the authorization endpoint and I suspect many others will too. But I don't have any data how often it is used in the wild for OAuth. -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth