we're currently doing a 2-legged Oauth using GET, it works fine except the querystring contains sensitive data and can be seen in the browser address bar. We'd like to convert it to a Post.

here's the current flow:
user clicks on a link, pops up a new window which uses Spring OAuth to generate the oauth params then redirects to the provider's URL.

proposed flow #1
user clicks on a link, pops up a new window which uses Spring OAuth to generate the oauth params then
forwards to a jsp which creates a form and submits it on fly to the provider's url

proposed flow#2:
user clicks on a link, pops up a new window which creates a form and submits on the fly to a mvc controller, the controller then generate the oauth params and sends request to the provider. (not sure if this would work)

so my question is what's the proper to submit a form using OAuth? thx