Is the presence of the id_token in the URL a security risk?

julius · November 17, 2021, 9:57pm

We recently had a potential customer tell us that they view the presence of the id_token within the URL during parts of the auth flow as a security risk.

We would like to alleviate the customer’s concerns but would not like to switch to using post_data as the response mode.

What specifics can we tell the customer about how Auth0 prevents this from being a security risk?

Thank you,
Julius

dan.woda · November 26, 2021, 5:48pm

Hi @julius,

Welcome to the Auth0 Community!

Can you please tell us more about your setup? I can reach out to the team, and would like some specific details about how you have set up your flow.

dan.woda · January 20, 2022, 11:05pm

Closing after no reply.

Topic		Replies	Views
Safety of multi-tenant app and authorization Help jwt , id_token , multi-tenant	1	3262	August 6, 2019
Storing the tokenId in the user's localStorage for subsequent requests to the backend Help sessions , authentication-sessions	0	821	May 23, 2023
Basic Auth0 question about JWT id_tokens and Universal Login flow Help login-experience , new-universal-login-experience	4	634	September 7, 2023
Why is the id_token not exposed in the auth0-spa lib Help auth0	2	3536	March 5, 2020
Not receiving ID token in the redirected response URL Help auth0 , login	4	1344	January 25, 2023

Is the presence of the id_token in the URL a security risk?

Related topics