👋 Hi, I work on the pre-release AWS SDK for Kotlin and we use OkHttp as our default HTTP engine for sending requests to AWS services. It's a fantastic HTTP client but we've recently discovered that it does not support bodies in GET requests. It looks like there was discussion with okhttp on GH about these kinds of requests previously and the stance at the time was "It’s unlikely we’ll ever support request bodies with GET." Unfortunately, it seems that multiple AWS services have multiple GET APIs which allow (or even require) bodies. Has the stance on GET bodies changed recently? Would the OkHttp team be open to accepting a pull request that enabled GET bodies, possibly enabled by an opt-in config option?

Does AWS often write endpoints that don’t adhere to the HTTP spec? 😅 https://www.rfc-editor.org/rfc/rfc7231#page-24

A payload within a GET request message has no defined semantics;

sending a payload body on a GET request might cause some existing

implementations to reject the request.

I wouldn't say it doesn't adhere to it, since it isn't forbidden. Maybe it's just ill advised

Does AWS often write endpoints that don’t adhere to the HTTP spec?

Out of 11k+ operations across 300+ services we have identified < 10 operations that use

GET

with a body. There is now model validation in place to prevent introducing new APIs from using

GET

with a body. I wouldn't call it common but some older APIs have unfortunately modeled their operations this way.

okhttp also doesn't allow bodies with DEL requests (bad backend devs) which I think is the right thing to do as well FWIW 🙂

I thought it does through a flag I was thinking of something else

Well "bad backend devs" may be true (or at least debatable given that the RFC does not forbid GET bodies) but the reality is those APIs exist and clients need some way of calling those services and passing bodies for some operations.

“Add out-of-spec support for bodies on GETs for <10 bespoke AWS endpoints” isn’t super compelling

Or add an endpoint abstraction layer in the backend that takes POST requests and maps them to the GET endpoints?

(and then deprecate the GETs lol)

Presumably your SDK is hiding these behind some abstraction layer, maybe you can just fall back to URLConnection or use Java’s HttpClient for those under the hood

We allow callers to configure their HTTP client as part of configuring their SDK client. Falling back to another client would ignore their custom OkHttp settings and may behave in ways they don't expect. Ideally, we'd like to use one HTTP client for all requests from a configured SDK client.

Then what Ken said

out-of-spec support for bodies on GETs

Are bodies on GETs out of spec? My reading of the HTTP RFCs says "no".

“Add debatably-out-of-spec support for bodies on GETs for <10 bespoke AWS endpoints” doesn’t exactly sound better heh

It's one thing to enforce defaults, it's another to outright prevent making requests (however debatably out of spec we want to call them).

I don’t think that really helps tbh. It’s taking your organizational tech debt and making it OkHttp’s problem, and pushing an anti-pattern into an ubiquitous (and influential) library’s API

Also puzzled why those APIs aren't behind an API gateway that can do that mapping 🤔 Shouldn't have to change the APIs endpoints themselves (though that's the better fix)

It's been debated numerous times, but decision always fell with not supporting it. The compelling evidence to add it would be widespread support and adoption by browsers or python libraries and standard server implementations.

Support for GET+body exists in widely-used clients like curl, Python's urllib3, and .NET's standard HttpClient. While we are pursuing changes to the endpoints themselves, we're having a hard time establishing agreement given that it's not prohibited by RFCs and many existing HTTP clients already support these APIs.

Well I think we are all inline with the spec

sending a payload body on a GET request might cause some existing

implementations to reject the request.

That's server-side implementations right? A client sending a body on a get request couldn't cause a client to reject the request as far as I understand.

Maybe, I mean it's not clear from th3 spec, and it's not a commonly used path that demands support. So I doubt it will change in OkHttp soon. Be nice if the spec was clarified if its intended to be supported. I wonder what's the effect on caching etc.

Also found that the popular JS client lib Axios prevents you from sending a body with GET requests too. The http/2 spec made sending bodies explicitly invalid too

The clearest indication of spec support I can find is in RFC 9110 § 9.3.1:

A client SHOULD NOT generate content in a GET request unless it is made directly to an origin server that has previously indicated, in or out of band, that such a request has a purpose and will be adequately supported.

In this wording, "previously indicated...that such a request has a purpose and will be adequately supported" seems to be a reason when GET bodies should be allowed. Otherwise, clients shouldn't just send a GET body to a specific endpoint and hope it can deal with it.

It's been discussed before and explicitly decided not to support. And OkHttp doesn't really opt for new config APIs to enable alternate compliance. So I'd advise against the PR for now.

Okay, got it. Thanks for the discussion everyone! 🙂

My reluctant lance to support this is motivated by correctness rather than purity. I think the specs are nice to follow (!), but we have gone for consistency with browsers and other user agents when they’re in tension with the specs. For example, we accept unescaped

|

in URLs cause browsers do, and it’s occasionally used, cause that’s what browsers do.

The Http/2 spec is also troubling, would it only work for Http/1.1?

The Http/2 spec is also troubling, would it only work for Http/1.1?

There are already parts of OkHttp that are only compatible on H2 (e.g.

RequestBody.isDuplex

) 🤷 . Our inclination here was that if OkHttp was open to a path to allowing this it would be an opt-in thing (basically saying "yes I understand this isn't universally supported, I know what I'm doing").

I bet if you ask the corresponding service owners they might tell you they already support POST as well.

If only this were true 🙂 We appreciate your position and all of the feedback. We are burning this issue from both ends, we just wanted to open up a dialogue about the implementation w.r.t the RFC. From our interpretation of the RFC if clients and servers agree to

GET

with body then it's fine, just don't expect universal support. We don't take this to mean that clients should prevent it (for HTTP/1.1 at least) just that server/proxy support may be a problem. I think we have our answer though so as Ian said thanks for the discussion!

Consider caching at the application layer?

Thank you, I got what I wanted working with caching at the application level.