On successful login, access_token, token_type, and other parameters are getting appended to url query params

[Priyankcoder]

On successful login, access_token, token_type, expires_in, state, id_token, and nonce parameters are getting appended to url's query params.

Is there any way to prevent this behavior in the authorizer? Isn't it a security issue?
I have been looking for a solution for some time now and didn't find any solution apart from removing them manually.

[Priyankcoder]

@lakhansamani can you please help here?

[lakhansamani]

@Priyankcoder thank you for sharing this
I suppose you are using built in universal app to do this, but this is how other oauth platforms would also return your access token in URL.

However if your hosts application on same domain as of their main application then we can prevent this as session would already be set.

For now the other option is to implement the same UI using react-sdk which should be fairly simple.

[Priyankcoder]

Thanks for reverting @lakhansamani 😃. My host and main application (authorizer go service) are on the same domain. But I am using Authorization: Bearer JWT_TOKEN header for verification as I need user data (email, name, and other properties) stored in the JWT. Can we extract that user information from session cookie in authorizer backend service? I think If it is possible then we can avoid this behaviour.
FYI: I am using react-authorizer in frontend and authorizer-go in backend

[lakhansamani]

@Priyankcoder this release would remove access_token & id_token from url
https://github.com/authorizerdev/authorizer/releases/tag/1.3.7

Now its client sdks responsibility to get the token using getSession call