If you have a forward proxy or trace instrumentation installed then GET requests to /oauth2/v3/tokeninfo can expose access tokens due to them being present as query parameters.
However, this endpoint can receive POST requests which would allow the access tokens to be in the body of the HTTP request. This is better behaviour.
zquestz
commented
4 weeks ago
If you have a forward proxy or trace instrumentation installed then GET requests to /oauth2/v3/tokeninfo can expose access tokens due to them being present as query parameters.
However, this endpoint can receive POST requests which would allow the access tokens to be in the body of the HTTP request. This is better behaviour.
I have a pull request updating this here: #457