Difference between sending OAuth codes and jwt tokens in URL query security

iKingNinja · May 6, 2023, 2:26pm

Why is passing OAuth codes in the URL’s query considered safe while doing it with JWTs is not?

If an OAuth code is leaked, the attacker can use it to retrieve the bearer token thus getting access to the user’s resources, likewise if the JWT is leaked the attacker can use it to authenticate himself as the actual user.

I’d like to understand the difference between the two cases as I want to use a SignalR client with the WebSockets protocol, but I somehow need to authenticate the user and since headers can’t be sent using the WebSockets protocol there’s no other way than using the URL’s query. I cannot use ASP.NET authentication as it is handled by a NodeJs server.

tyf · May 10, 2023, 12:42am

Hey there @iKingNinja welcome to the community!

Neither of these flows (Authorization code nor Implicit) are considered best practice for public applications (SPA, Native) - Authorization code with PKCE is preferred for the very reason you mention, exposing codes/tokens in a url.

system · May 24, 2023, 12:42am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.