Passing access tokens as query parameters should be deprecated

[richvdh]

Some history:

• Originally, access tokens were passed from clients to servers as an access_token query parameter.
• https://github.com/matrix-org/matrix-doc/pull/1044 and https://github.com/matrix-org/matrix-doc/pull/1517 changed the spec to encourage clients to pass the access token via an Authorization: Bearer header, while continuing to permit the use of the query parameter for clients that needed it.

IMHO it is past time to deprecate support for the query parameter with a view to removing it in a future spec version, for the following reasons:

• Use of the query parameter is highly unsatisfactory from the security point-of-view (in particular: it is very easy to leak an access token via request logs, browser history, or an accidental cut-and-paste), and its presence is an unnecessary footgun for client implementors.
• Having multiple ways to do something is bad for compatibility and best avoided where practical. (Client X gets developed against Synapse which supports the query parameter. Server Y is developed against the Element clients which do not use the query parameter. All is well until someone tries to use Client X with Server Y.)

[richvdh]

The OAuth 2.0 Security Best Current Practice document deprecates the query param usage:

Clients MUST NOT pass access tokens in a URI query parameter in the way described in Section 2.3 of [RFC6750].

[turt2live]

MSC4126 describes deprecation, and MSC4127 describes removal. See MSC4127 for process efficiencies if interested.