Invectys
commented
1 year ago i have the same question
Open asvrada opened 1 year ago
Invectys
commented
1 year ago i have the same question
aditya812
commented
1 year ago Passing an access token as a query parameter is generally not recommended from a security standpoint.
URL Visibility: Query parameters are often visible in browser history, server logs, and can be easily copied from the URL. This means that if someone gains access to a user's browser history or a server log, they could potentially obtain the access token, which can be used maliciously.
Caching: Some web browsers and caching mechanisms may cache URLs, including query parameters. If an access token is included in a URL, it could be cached on the user's device or intermediary caching servers, making it accessible even after the user logs out or the token expires.
luvarqpp
commented
1 year ago Sidenote, when using SSE using standard approach like:
var source = new EventSource("demo_sse_endpoint");You have no possibility to add any headers (i.e. Authorization header with Bearer token, JWT). There is generally advised to pass some special, one time only, token as query parameter. On the other side, when connection is lost and event stream tries to re-establish connection, you will face problem, when given token is not valid anymore. There can be message id used as another secret, but it make things even more complex.
AdigaAkhil
commented
1 year ago User-agent storing Any form of tokens is not a good practice according to this article
One of the approaches is to use a BFF server along with session cookies with the User-Agent. On successful login. the success handler should set an httpOnly session cookie. Which later will be used by the User-Agent to get the access-token only.
https://github.com/callicoder/spring-boot-react-oauth2-social-login-demo/blob/1b77669e0ca326b1c556a83dc0c3bae233653788/spring-social/src/main/java/com/example/springsocial/security/oauth2/OAuth2AuthenticationSuccessHandler.java#L66
In the above link, an access token is generated and passed back to user-agent (browser) as query param. Is there a security risk for transferring access token in plain text URL?