Overview#

Form Post Response Mode (form_post) is the Response_mode parameter which indicates is an OAuth 2.0 Response_mode where Authorization Response parameters are encoded as HTML form values that are auto-submitted in the User-agent, and thus are transmitted via the HTTP POST method to the Client, with the result parameters being encoded in the body using the application/x-www-form-urlencoded format.

The action attribute of the form MUST be the OAuth Client's redirect_uri. The method of the form attribute MUST be POST.

Because the Authorization Response is intended to be used only once, the Authorization Server MUST instruct the User-agent (and any intermediaries) not to store or reuse the content of the Authorization Response.

Any technique supported by the user-agent MAY be used to cause the submission of the form, and any form content necessary to support this MAY be included, such as submit controls and client-side scripting commands. However, the OAuth Client MUST be able to process the message without regard for the mechanism by which the form submission was initiated.

OAuth 2.0 Security Considerations#

As described in OAuth 2.0 Multiple Response Type Encoding Practices OAuth.Responses, there are security implications to encoding response values in the URI Query string and in the URI Fragment Identifiers value. Some of these concerns can be addressed by using the Form Post Response Mode. In particular, it is safe to return Authorization Response parameters whose default Response_modes are the query encoding or the fragment encoding using the form_post Response_mode.

More Information#

There might be more information for this subject on one of the following:

• Authorization_endpoint
• Best Practices OpenID Connect
• Form_post
• Response_mode

---

• [#1] - OAuth 2.0 Form Post Response Mode - based on information obtained 2017-06-26-