Is the presence of the id_token in the URL a security risk?

julius · November 17, 2021, 9:57pm

We recently had a potential customer tell us that they view the presence of the id_token within the URL during parts of the auth flow as a security risk.

We would like to alleviate the customer’s concerns but would not like to switch to using post_data as the response mode.

What specifics can we tell the customer about how Auth0 prevents this from being a security risk?

Thank you,
Julius

dan.woda · November 26, 2021, 5:48pm

Hi @julius,

Welcome to the Auth0 Community!

Can you please tell us more about your setup? I can reach out to the team, and would like some specific details about how you have set up your flow.

dan.woda · January 20, 2022, 11:05pm

Closing after no reply.

Topic		Replies	Views
Storing the tokenId in the user's localStorage for subsequent requests to the backend Help sessions , authentication-sessions	0	820	May 23, 2023
Basic Auth0 question about JWT id_tokens and Universal Login flow Help login-experience , new-universal-login-experience	4	623	September 7, 2023
Not receiving ID token in the redirected response URL Help auth0 , login	4	1333	January 25, 2023
Are Auth0 Id's senstive Help auth0 , security	7	3269	February 3, 2023
Id_token vs access_token: authentication and user data Help id_token , access_token , authentication , access-token	0	1722	October 25, 2022

Is the presence of the id_token in the URL a security risk?

Related Topics