Story #4919
Updated by Peter Amstutz almost 10 years ago
While the API server uses OAuth2 to authenticate with the SSO server, Workbench does not use OAuth2 to authenticate with SSO directly, but instead follows a custom login flow that authenticates the user on API server with SSO, and then returns an API server token to workbench. https://tools.ietf.org/html/rfc6750 section 5.3: <pre> Don't pass bearer tokens in page URLs: Bearer tokens SHOULD NOT be passed in page URLs (for example, as query string parameters). Instead, bearer tokens SHOULD be passed in HTTP message headers or message bodies for which confidentiality measures are taken. Browsers, web servers, and other software may not adequately secure URLs in the browser history, web server logs, and other data structures. If bearer tokens are passed in page URLs, attackers might be able to steal them from the history data, logs, or other unsecured locations. </pre> Also, section 2.1: OAuth2 specifies that the Authorization header using access tokens is "Authorization: Bearer XYZ" ( not "Authorization: OAuth2 XYZ" (which we use now)