Consider sending token auth data via post body instead of uri parameters

[youngm]

Currently it appears that in 2.0.1 the data sent to via post to /oauth/token sends it's data via url parameters instead of post body.

This exposes user and/or client credentials to uaa access logs, router access logs, and CF firehose HttpStartStop events to name a few.

Thoughts on sending this data via post body instead?

[cf-gitbot]

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/131932417

The labels on this github issue will be updated when the story is started.

[nebhale]

@youngm The UAA docs are pretty explicit that this is the preferred way to acquire tokens. Have you talked with that team about this concern?

[youngm]

@nebhale Hmm.....I'm not seeing that explicit recommendation in the documentation. In fact it seems to me that in all their examples they send passwords using curl -d which I believe sends the data via body in a POST "in the same way that a browser does when a user has filled in an HTML form" as the curl man page says.

That said the UAA team probably shouldn't even accept that data in the Request URI if it isn't explicitly required by the OAuth spec or something. I'll do some research and perhaps open another issue with them about that.

[youngm]

I also double checked. It appears that request parameters aren't sent over the firehose so that is good. But uri parameters are logged in the router access log.

[youngm]

It appears the oauth spec wants this data via "entity-body" as well. So, I created an issue on the UAA side also. cloudfoundry/uaa#462