Security issue when include token in url

[kidphys]

Correct me if I'm wrong, but is it unsecured to include the token in the redirection url? Any host standing in between may intercept and extract the token at will.

[rubyconvict]

HTTPS is required. DNS, browser history, proxies can be problematic, so I guess, the use case here is the same as in Oauth 2.0 - provider must issue a short-lived token (requiring a refresh).

[pboling]

FYI: I rewrote this gem and modernized it!

https://github.com/pboling/omniauth-jwt2