For our MAG installation we use Enterprise Social Login. The 'MAG Authenticate via Social Login' assertion is used. This assertion is read-only and contains a call to the resource endpoint.

However, in this call, the access token is placed in the url as a query parameter. The web servers that are in front of the resource server log the requests, so that the logs are full of access tokens.

Our security department finds this unacceptable.

According to the specification (https://openid.net/specs/openid-connect-core-1_0.html#UserInfo) the recommended way of sending the token is in an http header of the request instead of in the url.

Release : 4.0 4.1 4.2.x

Component : MOBILE API

This issue is fixed in release 4.2.2 as documented here: https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/mobile-api-gateway/4-2/release-notes.html

The MAG Authenticate via Social Login assertion contains OAuth calls that pass access_token as a query parameter.
To increase security, the access token is now passed through the Authorization header.