Is the presence of the id_token in the URL a security risk?

julius · November 17, 2021, 9:57pm

We recently had a potential customer tell us that they view the presence of the id_token within the URL during parts of the auth flow as a security risk.

We would like to alleviate the customer’s concerns but would not like to switch to using post_data as the response mode.

What specifics can we tell the customer about how Auth0 prevents this from being a security risk?

Thank you,
Julius

dan.woda · November 26, 2021, 5:48pm

Hi @julius,

Welcome to the Auth0 Community!

Can you please tell us more about your setup? I can reach out to the team, and would like some specific details about how you have set up your flow.

dan.woda · January 20, 2022, 11:05pm

Closing after no reply.