如果客户使用GET或POST得到的OAuth 2的访问令牌? [英] Should clients get OAuth 2 access tokens using GET or POST?
问题描述
该OAuth 2.0用户草案v2-22 3.2节说:
The OAuth 2.0 draft v2-22 Section 3.2 says:
做访问令牌时,客户端必须使用HTTPPOST方法
请求。
The client MUST use the HTTP "POST" method when making access token requests.
不过,如果你看一下的Facebook 并的四方的OAuth2实现,他们要求客户做一个简单的GET请求,请求访问令牌。他们要求客户端放置在URL中CLIENT_ID和client_secret。
However, if you look at the Facebook and Foursquare OAuth2 implementations, they ask the clients to make a simple GET request for requesting an access token. They ask the clients to place the client_id and client_secret in the URL.
我建立一个OAuth 2服务器,看到Facebook的和Foursquare的实施后,我强烈地考虑也打破了协议,允许客户端通过GET请求访问令牌。我的网站的通信使用SSL,与Facebook类似和Foursquare。
I am building an OAuth 2 server and after seeing Facebook's and Foursquare's implementations, I am strongly considering also breaking the protocol to allow clients to request the access token via GET. My site's communication is using SSL, similar to Facebook and Foursquare.
所以我的问题是:是否有很好的理由,我不应该让客户端通过HTTPS以上
So my question is this: Are there any good reasons why I shouldn't allow clients to request access tokens via the GET method over HTTPS?
推荐答案
最常见的说法是,你不应该把敏感信息,在查询字符串(GET参数)为Web服务器通常记录HTTP请求的URL。 POST数据可以是任意长的,所以通常不记录。因此,当你在处理类似client_secret或code(虽然它是一次性使用),是有意义的有,在POST负载过去了。
The most common argument is that you should not put sensitive information in a query string (GET parameter) as Web servers typically log the HTTP request URL. POST data can be arbitrarily long, so is not usually logged. Therefore when you're dealing with something like client_secret or code (although it's one time use), it makes sense to have that passed in the POST payload.
恕我直言,如果你使用一个OAuth 2.0流,不需要client_secret(或你把在HTTP授权头,推荐) - 我没有看到一个问题,在允许GET
IMHO, if you're using an OAuth 2.0 flow that doesn't require client_secret's (or you put that in the HTTP Authorization header, as recommended) - I don't see an issue with allowing GET.
这篇关于如果客户使用GET或POST得到的OAuth 2的访问令牌?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
