Q&A

Answer

• Passing sensitive or personal information as query parameters is generally considered a problem, as it is revealed in many ways that POST data isn't. See for instance the similar question "" OWASP has a short description of the problem: .

  The main problems are generally considered to be

  • Bookmarks and browser history if someone has access to the browser

  • Access logs at the intended recipient of the query (or any proxies between you and the recipient)

  • That the query parameters are included in the "referer" header sent to other servers.

  What makes this case particularly interesting is that the information in question is actually a signed ID token. It can conceivably be used to authenticate the users at other service providers (though this requires a broken implementation at a service provider, a type of problem).

  Including ID tokens in this manner is actually encouraged by the OpenID Connect standard, as the . It can be POSTed, but most implementations (few as they are) that I have seen, use query parameters. So having the developers of your service change this could be challenging.Changed

14.0.0 - 2042-10-06

Added

• Introduced animals into the world, we believe they're going to be a neat addition.