Why is postman sending form data in an HTTP GET?

Question

I received a Postman json collection from an API vendor that works perfectly, but has something mystifying to me: The request is in a GET format, yet there is an x-www-form-urlencoded body.

URL: https://login.microsoftonline.com/d1e<secret>9563/oauth2/token

And when I look at the postman-generated c# code, the mystery continues:

var client = new RestClient("https://login.microsoftonline.com/d1e...d3/oauth2/token");
client.Timeout = -1;
var request = new RestRequest(Method.GET);
request.AddHeader("Content-Type", "application/x-www-form-urlencoded");
request.AddParameter("grant_type", "client_credentials");
request.AddParameter("client_id", "c06bb...79");
request.AddParameter("client_secret", "7~u...D");
request.AddParameter("resource", "https://vault.azure.net");
IRestResponse response = client.Execute(request);
Console.WriteLine(response.Content);

Note the AddParameter constructions for a GET call. To me, this must be a slight-of-hand for merely adding those values to the querystring. But when I look at the postman console I see:

In the postman console I would have expected to see those params appended to the url as a querystring, and then everything would have made sense. But you can see that it's a bonafide Request Body.

When I make GET calls in my c# code I like to use the simple yet solid WebClient object to call the DownloadString() method. But this method is only for GETs and there's no way to send a form-post style body, understandably.

Is postman truly sending a GET with all those values being appended to the url as a querystring? And should I do the same in my DownloadString() call? Or is there something else going on here? Should I instead, in my c#, be calling the UploadString() method and sending a form post BODY as a GET??

score 1 · Accepted Answer · answered Sep 13 '21 at 13:43

1

Http protocol supports adding a body to a request, but the WebClient class you use doesn't. Presumably because it isn't considered the norm.

I'm sure there's good reasons for Microsoft using it in the OAuth flow though. Those guys normally do things right!

HTTP GET with request body

answered Sep 13 '21 at 13:43

Luke

74
2

Thank you Luke. Do you think converting this request to a POST but leaving everything else the same, should work equally well? If so, that is my solution. – HerrimanCoder Sep 13 '21 at 13:48
If you're posting to login.microsoftlonline.com it depends on Microsofts implementation. No harm in trying. – Luke Sep 13 '21 at 13:55

score 0 · Answer 2 · answered Sep 13 '21 at 14:23

API is just an abstraction , you can send what ever you want to the API . It depends on the implementation , how the server handles these data.

Some services considers only what it requires and ignores other information

some services considers the entire requests and validates that it has only the allowed data. what should be allowed depends on the service

Postman is just a client that sends data to server , its upto you to decide what all information it should send . If you dont need any body then keep it as none. if you need some thing then add it.

Why is postman sending form data in an HTTP GET?

2 Answers2