We recently had a potential customer tell us that they view the presence of the id_token within the URL during parts of the auth flow as a security risk.
We would like to alleviate the customer’s concerns but would not like to switch to using post_data as the response mode.
What specifics can we tell the customer about how Auth0 prevents this from being a security risk?
Thank you,
Julius