# HG changeset patch # User Matthew Wild # Date 1678099063 0 # Node ID 898575a0c6f3f6a494231b962801d256545f18f7 # Parent 942f8a2f722dff73c8303eb4e3287d9c1bd75494 mod_http_oauth2: Switch to '303 See Other' redirects This is the recommendation by draft-ietf-oauth-v2-1-07 section 7.5.2. It is the only redirect code that guarantees the user agent will use a GET request, rather than re-submitting a POST request to the new URL. The latter would be bad for us, as we are encoding auth tokens in the form data. diff -r 942f8a2f722d -r 898575a0c6f3 mod_http_oauth2/mod_http_oauth2.lua --- a/mod_http_oauth2/mod_http_oauth2.lua Mon Mar 06 10:29:14 2023 +0000 +++ b/mod_http_oauth2/mod_http_oauth2.lua Mon Mar 06 10:37:43 2023 +0000 @@ -211,7 +211,7 @@ redirect.query = http.formencode(query); return { - status_code = 302; + status_code = 303; headers = { location = url.build(redirect); }; @@ -229,7 +229,7 @@ redirect.fragment = http.formencode(token_info); return { - status_code = 302; + status_code = 303; headers = { location = url.build(redirect); }; @@ -396,7 +396,7 @@ .. "&" .. http.formencode({ state = q.state, iss = get_issuer() }); module:log("warn", "Sending error response to client via redirect to %s", redirect_uri); return { - status_code = 302; + status_code = 303; headers = { location = redirect_uri; };