OAuth 2.0: Can a user-agent client avoid forwarding fragments?

Posted by Bosh on Stack Overflow See other posts from Stack Overflow or by Bosh
Published on 2010-05-20T15:01:49Z Indexed on 2010/05/20 23:20 UTC
Read the original article Hit count: 245

Filed under:
|
|

In the OAuth 2.0 draft specification, user-agent clients receive authorization in the form of a bearer token via redirection (from an authentication server) to a URL such as

HTTP/1.1 302 Found
Location: http://example.com/rd#access_token=FJQbwq9&expires_in=3600

According to Section 3.5.2 it is then the user-agent's job to GET the URL in question, but "The user-agent SHALL NOT include the fragment component with the request." In other words, as a result of the example redirection above, the user-agent should

 GET /rd HTTP/1.1
 Host: example.com

without passing #access_token to the server.

My question: what user agents behave this way? I thought redirection in Firefox, for example, would (logically) include the fragment in the GET request. Am I just wrong about this, or does the OAuth 2.0 specification rely on non-standard user-agent behavior?

© Stack Overflow or respective owner

Related posts about oauth

Related posts about user-agent