7

In section 2.3.1 of the the OAuth 2.0 Authorization Framework it states:

The authorization server MUST support the HTTP Basic authentication scheme for authenticating clients that were issued a client password.

It goes on further to say:

Including the client credentials in the request-body using the two parameters is NOT RECOMMENDED and SHOULD be limited...

Why is it that including the client credentials in the request-body using the two parameters is not recommended?

I can think of any reason. If it is good enough for user credential to be in plain text in the request body, why isn't it good enough for client credentials? The client credentials are still in plain text despite the encoding required by the basic authorization. Am I missing something?

Community
  • 1
Adrian Toman
  • 171
  • 5

2 Answers2

3

One possible reason is that the request parameters are generally available to the web application, whereas depending on the platform the password used for basic authentication may be removed by the HTTP server from the HTTP sever variables set to prevent it being available to semi-trusted applications.

Ben
  • 3,737
  • 1
  • 19
  • 24
0

Possibly to prevent processing the request body in case of unsuccessful authentication, e.g. 401 error.

I am not sure how that may be different from general case of POSTing user credentials though. Except maybe (in OAuth 2.0/OIDC context) the token endpoint being potentially well-known/discoverable.

ko la
  • 101