Edward Jiang
Edward Jiang
No, that's really weird. This endpoint should respond to what you're posting. The only thing I can think is that the @ sign shouldn't be percent encoded? I'll have to...
I have a hosted version of express-stormpath you can try hitting at https://stormpathnotes.herokuapp.com. See if you can register and use the OAuth endpoint on there? Code for mine at https://github.com/stormpath/stormpath-express-mobile-notes-example
Ah! I was talking with someone else about a similar issue and figured out (most likely) what's going on with your issue. Are you using body-parser elsewhere in your application?...
Awesome! By the way, I think it's considered best practice to pin the signing algorithm when verifying a JWT. Otherwise: - An attacker can change `alg: none` in the header,...
Awesome, didn't realize that. Thanks!
Not stale, can someone please reopen?
Should be something like this: 
I'm really confused on why we're offering cookies on `/oauth/token` in the first place -- this endpoint should not be setting cookies at all
Not sure! Looks like Adblock Pro's popover also disappears if I alt tab, but Chromecast uses some sort of modal that doesn't disappear.
I definitely want to do both, but I haven't planned exactly the approach I'd be taking. If it's self-hosted, that reduces complexity of writing code but may be less convenient...