I don’t remember if the spec makes a hard and fast rule on this, strictly speaking, but you’re certainly right that if it’s done via a GET it would be better for it to switch to POST.
--Misagh
--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/59d21bfd-052c-4311-acb6-ee47102ceaa1%40apereo.org.
"For example, the client makes the following HTTP request using transport-layer security (with extra line breaks for display purposes only):" POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded grant_type=password&username=johndoe&password=A3ddj3w
Cool. I feel uneasy about the spec saying “For example” :) but that’s neither here nor there.
The mechanics of how one should proceed to patch this are fairly simple: find the spot that handles the GET request in the OAuth module, tune it to also accept POST and use that method/handler when dealing with the particular grant type. (This I think is the easiest approach; the possibly-better alternative to ensure that grant type can only respond to POST requires other [breaking] changes that would be outside the scope of 5.1) Start with OAuth20AuthorizeEndpointController and work your way up. Post a pull request when ready, or better yet, when not ready as a WIP so others see what you’re working on and can provide early feedback.
More here: https://apereo.github.io/2017/07/05/cas-contribution-guide/
--Misagh
This email has been scanned for spam and viruses by Proofpoint Essentials. Click here to report this email as spam.
=