mod_http_oauth2: Switch to '303 See Other' redirects
This is the recommendation by draft-ietf-oauth-v2-1-07 section 7.5.2. It is
the only redirect code that guarantees the user agent will use a GET request,
rather than re-submitting a POST request to the new URL.
The latter would be bad for us, as we are encoding auth tokens in the form
data.
--- a/mod_http_oauth2/mod_http_oauth2.lua Mon Mar 06 10:29:14 2023 +0000
+++ b/mod_http_oauth2/mod_http_oauth2.lua Mon Mar 06 10:37:43 2023 +0000
@@ -211,7 +211,7 @@
redirect.query = http.formencode(query);
return {
- status_code = 302;
+ status_code = 303;
headers = {
location = url.build(redirect);
};
@@ -229,7 +229,7 @@
redirect.fragment = http.formencode(token_info);
return {
- status_code = 302;
+ status_code = 303;
headers = {
location = url.build(redirect);
};
@@ -396,7 +396,7 @@
.. "&" .. http.formencode({ state = q.state, iss = get_issuer() });
module:log("warn", "Sending error response to client via redirect to %s", redirect_uri);
return {
- status_code = 302;
+ status_code = 303;
headers = {
location = redirect_uri;
};