Project

General

Profile

Story #4919

Updated by Peter Amstutz almost 10 years ago

While the API server uses OAuth2 to authenticate with the SSO server, Workbench does not use OAuth2 to authenticate with SSO directly, but instead follows a custom login flow that authenticates the user on API server with SSO, and then returns an API server token to workbench via a query parameter in a redirect URL. workbench. 

 https://tools.ietf.org/html/rfc6750 section 5.3: 

 > Don't pass bearer tokens in page URLs:    Bearer tokens SHOULD NOT be 
 > passed in page URLs (for example, as query string parameters). 
 > Instead, bearer tokens SHOULD be passed in HTTP message headers or 
 > message bodies for which confidentiality measures are taken. 
 > Browsers, web servers, and other software may not adequately 
 > secure URLs in the browser history, web server logs, and other 
 > data structures.    If bearer tokens are passed in page URLs, 
 > attackers might be able to steal them from the history data, logs, 
 > or other unsecured locations. 

 Also, section 2.1: 

 OAuth2 specifies that the Authorization header using access tokens is "Authorization: Bearer XYZ" ( not "Authorization: OAuth2 XYZ" (which we use now)

Back