Auth0 Home Blog Docs

Concerns about access token in URL and browser history



Hi everyone,

I’m using the latest version of lock (11.9.0) and I have some concerns about the security of redirect mode. During login in redirect mode the access token is passed to the redirect URL and is visible for a second in the browser address bar and it also appears in the browser history. My question is, is exposing the access token in the URL secure given that someone with physical access to the users computer could copy it from the browser history after the user has logged out and use it to access the API as the user until the token expires?


Any updates to this?


Hi Andres. If you do not have MFA requirements setting auth: { redirect: false } will stop showing id_token in url. have you tried this ?


Can you set the reponse mode in Lock to “form_post”? This uses a POST to the redirect URI, rather than a GET and so the token doesn’t get placed in the URL and so end up in the browser history.


Hi Chauhan, yes, I actually switched to using redirect mode for exactly this reason: to enable MFA.


I saw that option but I only quickly tried it because I thought maybe it was for something else. How would I interpret a POST request to the browser? Would this mean I would need to receive the access token on the server and pass it somehow to the front end?