33

The OAuth 2.0 draft v2-22 Section 3.2 says:

The client MUST use the HTTP "POST" method when making access token requests.

However, if you look at the Facebook and Foursquare OAuth2 implementations, they ask the clients to make a simple GET request for requesting an access token. They ask the clients to place the client_id and client_secret in the URL.

I am building an OAuth 2 server and after seeing Facebook's and Foursquare's implementations, I am strongly considering also breaking the protocol to allow clients to request the access token via GET. My site's communication is using SSL, similar to Facebook and Foursquare.

So my question is this: Are there any good reasons why I shouldn't allow clients to request access tokens via the GET method over HTTPS?

Spike
  • 5,040
  • 5
  • 32
  • 47

1 Answers1

17

The most common argument is that you should not put sensitive information in a query string (GET parameter) as Web servers typically log the HTTP request URL. POST data can be arbitrarily long, so is not usually logged. Therefore when you're dealing with something like client_secret or code (although it's one time use), it makes sense to have that passed in the POST payload.

IMHO, if you're using an OAuth 2.0 flow that doesn't require client_secret's (or you put that in the HTTP Authorization header, as recommended) - I don't see an issue with allowing GET.

Scott T.
  • 6,152
  • 1
  • 26
  • 32
  • Good point about the server logs, but for Oauth2, we store the client_id and client_key in plaintext on our server anyway, so if this information is in our server logs is this really that much worse than it already existing in our database? – Spike Nov 26 '11 at 19:10
  • Agreed - its about the same then. If the web server and your OAuth AS are both under your controls - no big deal allowing GET IMHO. – Scott T. Nov 26 '11 at 19:27