For our MAG installation we use Enterprise Social Login. The 'MAG Authenticate via Social Login' assertion is used. This assertion is read-only and contains a call to the resource endpoint.
However, in this call, the access token is placed in the url as a query parameter. The web servers that are in front of the resource server log the requests, so that the logs are full of access tokens.
Our security department finds this unacceptable.
According to the specification (https://openid.net/specs/openid-connect-core-1_0.html#UserInfo) the recommended way of sending the token is in an http header of the request instead of in the url.
Release : 4.0 4.1 4.2.x
Component : MOBILE API