I reread your proposal and see my response did not address what you actually proposed, sorry!
Your proposal would only work for the RPs that are using response_mode=form_post -- but for RPs that are expecting a query or fragment, they will fail if they get a POST. Also, if the RP is using response_mode=form_post, sending cookies with SameSite=Lax is not going to help as they are not expecting that to work and if they use cookies, they are using SameSite=none. The RP would also need to have updates for it to take advantage of the Redirect-Origin header. In short, I don't see how the RP is going to get the benefit unless the RP makes changes -- or am I missing something? On Mon, Jan 5, 2026 at 6:49 PM Nick Watson <[email protected]> wrote: > > The RP has to be updated if it is going to look for the response > parameters in the headers first before looking at the query string or form > body > > With my version of the proposal the RP doesn't need that. The browser > handles it entirely, and the RP receives a normal-looking form post. > > On Mon, Jan 5, 2026 at 8:56 AM Dick Hardt <[email protected]> wrote: > >> To close out this thread, I've posted >> https://datatracker.ietf.org/doc/draft-hardt-httpbis-redirect-headers/ to >> datatracker and hope the work is adopted by the httpbis WG. >> >> On Tue, Dec 23, 2025 at 7:58 PM Dick Hardt <[email protected]> wrote: >> >>> >>> >>> On Tue, Dec 23, 2025 at 6:25 PM Nick Watson <[email protected]> wrote: >>> >>>> For OAuth/OIDC specifically, I'm worried about the amount of churn on >>>> RPs' having to adopt Redirect-Query. >>>> >>> >>> The RP has to be updated if it is going to look for the response >>> parameters in the headers first before looking at the query string or form >>> body. Once the RP is making one change, doing the other one is simple. I >>> would expect that this would be added to libraries and be invisible to the >>> long tail of RPs. >>> >>> >>
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
