Details
-
Improvement
-
Status: Open
-
Major
-
Resolution: Unresolved
-
None
-
None
-
None
Description
Today, InvokeHTTP drops the Body when the method used isn't PUT, POST, or PATCH (As stated in the documentation). RFC states that DELETE with body isn't generally used, but doesn't disallow it.
In my case, i'm using InvokeHTTP to interact with Keycloak's Admin REST API. They use DELETE with body in quite a few cases. for example in my specific use case:
https://www.keycloak.org/docs-api/21.0.1/rest-api/#_role_mapper_resource
(referring to: Delete realm-level role mappings)
Additional information:
Although request message framing is independent of the method used, content received in a DELETE request has no generally defined semantics, cannot alter the meaning or target of the request, and might lead some implementations to reject the request and close the connection because of its potential as a request smuggling attack (Section 11.2 of [HTTP/1.1]). A client SHOULD NOT generate content in a DELETE request unless it is made directly to an origin server that has previously indicated, in or out of band, that such a request has a purpose and will be adequately supported. An origin server SHOULD NOT rely on private agreements to receive content, since participants in HTTP communication are often unaware of intermediaries along the request chain.
https://www.rfc-editor.org/rfc/rfc9110.html#name-delete
During discussion with Otto Fowler, he stated that this is disabled in the HTTPMethod enum.