Is it safe to pass access token as query param?

[asvrada]

spring-boot-react-oauth2-social-login-demo/spring-social/src/main/java/com/example/springsocial/security/oauth2/OAuth2AuthenticationSuccessHandler.java

Line 66 in 1b77669

.queryParam("token", token)

In the above link, an access token is generated and passed back to user-agent (browser) as query param. Is there a security risk for transferring access token in plain text URL?

[Invectys]

i have the same question

[aditya812]

Passing an access token as a query parameter is generally not recommended from a security standpoint.

URL Visibility: Query parameters are often visible in browser history, server logs, and can be easily copied from the URL. This means that if someone gains access to a user's browser history or a server log, they could potentially obtain the access token, which can be used maliciously.

Caching: Some web browsers and caching mechanisms may cache URLs, including query parameters. If an access token is included in a URL, it could be cached on the user's device or intermediary caching servers, making it accessible even after the user logs out or the token expires.

[luvarqpp]

Sidenote, when using SSE using standard approach like:

 var source = new EventSource("demo_sse_endpoint");

You have no possibility to add any headers (i.e. Authorization header with Bearer token, JWT).
There is generally advised to pass some special, one time only, token as query parameter. On the other side, when connection is lost and event stream tries to re-establish connection, you will face problem, when given token is not valid anymore. There can be message id used as another secret, but it make things even more complex.

[AdigaAkhil]

User-agent storing Any form of tokens is not a good practice according to this article

One of the approaches is to use a BFF server along with session cookies with the User-Agent.
On successful login. the success handler should set an httpOnly session cookie. Which later will be used by the User-Agent to get the access-token only.