OAuth2 Grant type Client Credentials - is GET method allowed

Question

I am accessing a service that is providing the access token over GET method that accepts client_id and client_secret as query string parameters. The service claims to be OAuth2 complaint. I looked at the OAuth2 spec for Client Credentials grant. This is what the spec says:

The client makes a request to the token endpoint by adding the
following parameters using the "application/x-www-form-urlencoded"
format per Appendix B with a character encoding of UTF-8 in the HTTP
request entity-body:

grant_type REQUIRED. Value MUST be set to "client_credentials".

scope OPTIONAL. The scope of the access request as described by Section 3.3.

The client MUST authenticate with the authorization server as
described in Section 3.2.1.

Even though it does not explicitly rules out the GET method, the spec is only allowing POST for the access token grant. Is it correct to say that OAuth2 spec does not allow GET method for getting the access token for client credentials grant?

Gary Archer Gary Archer · Accepted Answer · 2020-07-15T13:38:31

Feels like an incorrect implementation - OAuth specs would never recommend this, since:

Credentials will typically be recorded in web server logs, which is bad
GET Requests could be cached at various places in the HTTP pipeline, leading to an old token being returned

POST requests do not have the above problems of course.

OAuth2 Grant type Client Credentials - is GET method allowed

2 Answers