Closed richvdh closed 2 months ago
The OAuth 2.0 Security Best Current Practice document deprecates the query param usage:
Clients MUST NOT pass access tokens in a URI query parameter in the way described in Section 2.3 of [RFC6750].
MSC4126 describes deprecation, and MSC4127 describes removal. See MSC4127 for process efficiencies if interested.
Some history:
access_token
query parameter.Authorization: Bearer
header, while continuing to permit the use of the query parameter for clients that needed it.IMHO it is past time to deprecate support for the query parameter with a view to removing it in a future spec version, for the following reasons: