Idea #4919
Updated by Peter Amstutz over 9 years ago
While the API server uses OAuth2 to authenticate with the SSO server, Workbench does not use OAuth2 to authenticate with SSO directly, but instead follows a custom login flow that authenticates the user on API server with SSO, and then returns an API server token to workbench via a query parameter in a redirect URL. workbench. https://tools.ietf.org/html/rfc6750 section 5.3: > Don't pass bearer tokens in page URLs: Bearer tokens SHOULD NOT be > passed in page URLs (for example, as query string parameters). > Instead, bearer tokens SHOULD be passed in HTTP message headers or > message bodies for which confidentiality measures are taken. > Browsers, web servers, and other software may not adequately > secure URLs in the browser history, web server logs, and other > data structures. If bearer tokens are passed in page URLs, > attackers might be able to steal them from the history data, logs, > or other unsecured locations. Also, section 2.1: OAuth2 specifies that the Authorization header using access tokens is "Authorization: Bearer XYZ" ( not "Authorization: OAuth2 XYZ" (which we use now)