19Ara
Can OpenID session_state be sent on POST?
We have a situation of the session_state param on an OpenID Connect/Oauth app is sent on GET. We asked the developers to send it on POST. Developers claim that because standard OIDC/OAuth use 302 redirects, GET is the only option and they cannot use POST?
Is that correct?
- If yes, can you point to the standard doc explaining it? I could not find a doc specifying that.
- If not, can you show an example of how can POST be implemented?
