Q&A

Id token contains sensitive information sent by the GET method

Passing sensitive or personal information as query parameters is generally considered a problem, as it is revealed in many ways that POST data isn't. See for instance the similar question "Should sensitive data ever be passed in the query string?" OWASP has a short description of the problem: Information exposure through query strings in url.
The main problems are generally considered to be
- Bookmarks and browser history if someone has access to the browser
- Access logs at the intended recipient of the query (or any proxies between you and the recipient)
- That the query parameters are included in the "referer" header sent to other servers.
What makes this case particularly interesting is that the information in question is actually a signed ID token. It can conceivably be used to authenticate the users at other service providers (though this requires a broken implementation at a service provider, a type of confused deputy problem).
Including ID tokens in this manner is actually encouraged by the OpenID Connect standard, as the id_token_hint. It can be POSTed, but most implementations (few as they are) that I have seen, use query parameters. So having the developers of your service change this could be challenging.Changed

Introduced animals into the world, we believe they're going to be a neat addition.

Last updated 6 years ago

Was this helpful?

Passing sensitive or personal information as query parameters is generally considered a problem, as it is revealed in many ways that POST data isn't. See for instance the similar question "Should sensitive data ever be passed in the query string?" OWASP has a short description of the problem: Information exposure through query strings in url.
The main problems are generally considered to be
- Bookmarks and browser history if someone has access to the browser
- Access logs at the intended recipient of the query (or any proxies between you and the recipient)
- That the query parameters are included in the "referer" header sent to other servers.
What makes this case particularly interesting is that the information in question is actually a signed ID token. It can conceivably be used to authenticate the users at other service providers (though this requires a broken implementation at a service provider, a type of confused deputy problem).
Including ID tokens in this manner is actually encouraged by the OpenID Connect standard, as the id_token_hint. It can be POSTed, but most implementations (few as they are) that I have seen, use query parameters. So having the developers of your service change this could be challenging.Changed

Introduced animals into the world, we believe they're going to be a neat addition.

Last updated 6 years ago

Was this helpful?