On Fri, Dec 12, 2025 at 01:43:09PM +0100, Dick Hardt wrote: > Authentication and authorization protocols (OAuth, OpenID Connect, SAML) > use browser redirects to navigate users between applications and > authorization servers. These redirects must carry protocol parameters, > which historically appear in URLs or POSTed forms. > > Problem: URLs leak sensitive data through browser history, Referer headers, > server logs, analytics, and JavaScript access. > > Solution: Redirect Headers move parameters into browser-controlled HTTP > headers that aren't exposed in URLs or the DOM.
As it happens I just submitted draft-williams-http-bearer-extension-00 which addresses this or part of this. This was originally inspired by a PowerShell HTTP client command-line option to copy `Authorization:` headers from redirect _responses_ to redirected requests -- a non- standard HTTP extension. (I've long thought that there should be a small set of headers that are to be copied from redirect response to redirected request, specifically those related to authentication/authorization, because the alternative is to camp on URI q-param design space, as SAML and OIDC do, and that's terriblem, but also that defeats the point of not copying any headers from redirect responses to redirected requests.) Nico -- _______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
