Review of proposed final OAuth 2.0 Form Post Response Mode specification

Published February 16, 2015
The OpenID Connect Working Group recommends approval of the following specification as an OpenID Final Specification:
  • OAuth 2.0 Form Post Response Mode 1.0 – Defines how to return OAuth 2.0 Authorization Response parameters (including OpenID Connect Authentication Response parameters) using HTML form values that are auto-submitted by the User Agent using HTTP POST
A Final Specification provides intellectual property protections to implementers of the specification and is not subject to further revision. This note starts the 60 day public review period for the specification drafts in accordance with the OpenID Foundation IPR policies and procedures. This review period will end on Friday, April 17, 2015. Unless issues are identified during the review that the working group believes must be addressed by revising the drafts, this review period will be followed by a seven day voting period during which OpenID Foundation members will vote on whether to approve these drafts as Final Specifications and Implementer’s Drafts. For the convenience of members, voting may begin up to two weeks before Friday, April 17th, with the voting period still ending on Friday, April 24, 2015. A description of OpenID Connect can be found at The working group page is Information on joining the OpenID Foundation can be found at If you’re not already a member, please consider joining to participate in the approval vote. You can send feedback on the specifications in a way that enables the working group to act upon your feedback by (1) signing the contribution agreement at to join the working group (please specify that you are joining the “AB+Connect” working group on your contribution agreement), (2) joining the working group mailing list at, and (3) sending your feedback to the list. -- Michael B. Jones, OpenID Foundation Secretary UPDATE: The working group has added a sentence about not caching responses and updated the example Cache-Control directive. The RFC 2616 reference has also been updated to RFC 7230. The originally posted version is available at the location below to facilitate comparison between the original version and the current version with the corrections applied: