Difference between sending OAuth codes and jwt tokens in URL query security

iKingNinja · May 6, 2023, 2:26pm

Why is passing OAuth codes in the URL’s query considered safe while doing it with JWTs is not?

If an OAuth code is leaked, the attacker can use it to retrieve the bearer token thus getting access to the user’s resources, likewise if the JWT is leaked the attacker can use it to authenticate himself as the actual user.

I’d like to understand the difference between the two cases as I want to use a SignalR client with the WebSockets protocol, but I somehow need to authenticate the user and since headers can’t be sent using the WebSockets protocol there’s no other way than using the URL’s query. I cannot use ASP.NET authentication as it is handled by a NodeJs server.

tyf · May 10, 2023, 12:42am

Hey there @iKingNinja welcome to the community!

Neither of these flows (Authorization code nor Implicit) are considered best practice for public applications (SPA, Native) - Authorization code with PKCE is preferred for the very reason you mention, exposing codes/tokens in a url.

system · May 24, 2023, 12:42am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to Securely Pass a JWT in the URL Query Parameters of a GET Request Knowledge Articles jwt , url , query-parameters , get	1	27515	July 6, 2021
How access token is not exposed on the client side? Help configuration , application	2	171	June 20, 2024
Using two JWT tokens for websockets Help jwt , auth0	1	3992	August 9, 2020
JWT.IO Devs - can you make available a query string so we can send a JWT as part of the page request? JWT.io	2	4780	August 28, 2019
SPA with Authorization Code Grant Help authorization-flow	6	11907	August 30, 2019

Difference between sending OAuth codes and jwt tokens in URL query security

Related Topics