Ancestors

Written by Erin 💽✨ on 2025-01-22 at 11:59

Early drafts of OAuth2 did what?!

Authorization servers respond to client requests by including a set

of response parameters in the entity body of the HTTP response. The

response uses one of three formats based on the format requested by

the client (using the "format" request parameter or the HTTP "Accept"

header field):

o The "application/json" media type as defined by [RFC4627]. The 

  parameters are serialized into a JSON structure by adding each


  parameter at the highest structure level.  Parameter names and


  string values are included as JSON strings.  Numerical values are


  included as JSON numbers.


  For example:


 {


   "access_token":"SlAV32hkKG",


   "expires_in":3600,


   "refresh_token":"8xLOxBtZp8"


 }

o The "application/xml" media type as defined by [RFC3023]. The 

  parameters are serialized into an XML structure by adding each


  parameter as a child element of the root "<OAuth>" element. [[ Add


  namespace ]]


  For example:


 <?xml version='1.0' encoding="utf-8"?>


 <OAuth>


   <access_token>SlAV32hkKG</access_token>


   <expires_in>3600</expires_in>


   <refresh_token>8xLOxBtZp8</refresh_token>


 </OAuth>

o The "application/x-www-form-urlencoded" media type as defined by 

  [W3C.REC-html401-19991224].


  For example (line breaks are for display purposes only):


 access_token=SlAV32hkKG&expires_in=3600&


 refresh_token=8xLOxBtZp8

The authorization server MUST include the HTTP "Cache-Control"

response header field with a value of "no-store" in any response

containing tokens, secrets, or other sensitive information.

link

=> More informations about this toot | More toots from erincandescent@erincandescent.net

Written by Erin 💽✨ on 2025-01-22 at 12:01

(I was looking at some OAuth 2 client code and found a fossil of this in the form of still supporting parsing responses in x-www-form-urlencoded format and I was like “what. why. did someone implement the spec wrong?!” and it looks like the answer is “no, the spec was just briefly bonkers”)

=> More informations about this toot | More toots from erincandescent@erincandescent.net

Written by Erin 💽✨ on 2025-01-22 at 12:02

(“did someone implement the spec wrong?” yes. of course they did. its oauth 2. its more vibes than a spec to begin with and yet people manage to find new and creative ways to violate the bits that are nailed down all the time)

=> More informations about this toot | More toots from erincandescent@erincandescent.net

Toot

Written by Scarlet ❤️‍🔥 on 2025-01-22 at 12:42

@erincandescent >“did someone implement the spec wrong?” yes

every single time 😭

=> More informations about this toot | More toots from scarlet@chaos.social

Descendants

Proxy Information
Original URL
gemini://mastogem.picasoft.net/thread/113872058588187007
Status Code
Success (20)
Meta
text/gemini
Capsule Response Time
252.02335 milliseconds
Gemini-to-HTML Time
1.257372 milliseconds

This content has been proxied by September (ba2dc).