search cancel

Security issue with MAG access tokens for social logins past as query parameters


Article ID: 224782


Updated On:


CA Mobile API Gateway


For our MAG installation we use Enterprise Social Login. The 'MAG Authenticate via Social Login' assertion is used. This assertion is read-only and contains a call to the resource endpoint.

However, in this call, the access token is placed in the url as a query parameter. The web servers that are in front of the resource server log the requests, so that the logs are full of access tokens.

Our security department finds this unacceptable.

According to the specification ( the recommended way of sending the token is in an http header of the request instead of in the url.


Release : 4.0 4.1 4.2.x

Component : MOBILE API


This will be resolved in the next release /update  for mobile API .