Security issue with MAG access tokens for social logins past as query parameters

book

Article ID: 224782

calendar_today

Updated On:

Products

CA Mobile API Gateway

Issue/Introduction

For our MAG installation we use Enterprise Social Login. The 'MAG Authenticate via Social Login' assertion is used. This assertion is read-only and contains a call to the resource endpoint.

However, in this call, the access token is placed in the url as a query parameter. The web servers that are in front of the resource server log the requests, so that the logs are full of access tokens.

Our security department finds this unacceptable.

According to the specification (https://openid.net/specs/openid-connect-core-1_0.html#UserInfo) the recommended way of sending the token is in an http header of the request instead of in the url.

Environment

Release : 4.0 4.1 4.2.x

Component : MOBILE API

Resolution

This will be resolved in the next release /update  for mobile API .