Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
Ability to send token as part of URL #546
History & Security
The original reason for using the cookie over putting the token in the query string was that we thought the latter was insecure. After much discussion and research we concluded that if you're using HTTPS this is just as secure as cookies because with HTTPS the url and its params are also encrypted. This is in fact how Auth0 does their OAuth authentication.
The biggest risk is a malicious proxy (ie. man in the middle attack). If you're not using HTTPS a malicious proxy could cache these tokens and use them on behalf of a user. So you must use HTTPS. If you are, the only way that a malicious proxy can get your token is if they had your private SSL keys. If that happens, you have bigger problems!
However even with that, they cannot issue new tokens or tamper with the tokens without your secret used to sign the JWTs. So overall we feel this is a much safer and also less error prone method than using cookies for passing JWTs around during redirects and server side rendering.
Allow users to register a custom formatter to append the access token to the URL as part of the query string when doing a redirect. Similar to feathersjs/authentication-oauth2#8.
I think the only protection we have against this is to redirect the users to a blank html page as I've done in this example: https://gist.github.com/marshallswain/3c9e5b3b177b977468b5b711b6254f67
They'll have to manually create it.
Going to close this. We probably just need better errors, warnings and docs to help demystify and debug cookies.