omniauth-jwt icon indicating copy to clipboard operation
omniauth-jwt copied to clipboard
verified publisher icon mbleigh

Security issue when include token in url

Open kidphys opened this issue 10 years ago • 2 comments

Correct me if I'm wrong, but is it unsecured to include the token in the redirection url? Any host standing in between may intercept and extract the token at will.

kidphys avatar Aug 18 '15 15:08 kidphys

HTTPS is required. DNS, browser history, proxies can be problematic, so I guess, the use case here is the same as in Oauth 2.0 - provider must issue a short-lived token (requiring a refresh).

rubyconvict avatar Nov 07 '16 14:11 rubyconvict

FYI: I rewrote this gem and modernized it!

https://github.com/pboling/omniauth-jwt2

pboling avatar Mar 07 '24 14:03 pboling