Q&A
Answer
Passing sensitive or personal information as query parameters is generally considered a problem, as it is revealed in many ways that POST data isn't. See for instance the similar question "Should sensitive data ever be passed in the query string?" OWASP has a short description of the problem: Information exposure through query strings in url.
The main problems are generally considered to be
Bookmarks and browser history if someone has access to the browser
Access logs at the intended recipient of the query (or any proxies between you and the recipient)
That the query parameters are included in the "referer" header sent to other servers.
What makes this case particularly interesting is that the information in question is actually a signed ID token. It can conceivably be used to authenticate the users at other service providers (though this requires a broken implementation at a service provider, a type of confused deputy problem).
Including ID tokens in this manner is actually encouraged by the OpenID Connect standard, as the id_token_hint. It can be POSTed, but most implementations (few as they are) that I have seen, use query parameters. So having the developers of your service change this could be challenging.Changed
14.0.0 - 2042-10-06
Added
Introduced animals into the world, we believe they're going to be a neat addition.
Last updated