Include Cache-Control and Pragma headers in token exchange response example

indieweb / indieauth

IndieAuth.net website code and IndieAuth Specification

52 stars 7 forks source link

Include Cache-Control and Pragma headers in token exchange response example #117

Open barnabywalters opened 1 year ago

barnabywalters commented 1 year ago

According to https://www.rfc-editor.org/rfc/rfc6749#section-5.1, token exchange responses MUST contain the following headers

Cache-Control: no-store
Pragma: no-cache

Consider adding these to https://indieauth.spec.indieweb.org/#example-12 to make it more likely that people implementing IndieAuth servers based purely on the IndieAuth spec include them

sknebel commented 1 year ago

good idea, definitively do that IMHO

barnabywalters commented 1 year ago

Looks like it might be better to reduce this to only Cache-control: no-store, as while Pragma is required for OAuth 2.0, it’s dropped in 2.1 due to its behaviour being undefined (https://github.com/Taproot/indieauth/issues/22)