connexion: OAuth: When verifying token, do not pass the access_token as query param

In decorators/security.py - verify_oauth, a session.get() call is made to the token_info_url and the access_token to be verified is passed as a query parameter. According to the OAuth 2.0 Authorization Framework: Bearer Token Usage, section 5.3 ( https://tools.ietf.org/html/rfc6750#section-5.3 ):

Don’t pass bearer tokens in page URLs: Bearer tokens SHOULD NOT be passed in page URLs (for example, as query string parameters). Instead, bearer tokens SHOULD be passed in HTTP message headers or message bodies for which confidentiality measures are taken. Browsers, web servers, and other software may not adequately secure URLs in the browser history, web server logs, and other data structures. If bearer tokens are passed in page URLs, attackers might be able to steal them from the history data, logs, or other unsecured locations.

I propose that this code is changed to something along these lines:

token_request = session.post(token_info_url, json={'access_token': token}, timeout=5)

About this issue

  • Original URL
  • State: closed
  • Created 8 years ago
  • Comments: 22 (16 by maintainers)

Most upvoted comments

I would not use the HTTP “POST” method here as the request does not change any state, I think passing the access token should look like:

token_request = session.get(token_info_url,
                            headers={'Authorization': 'Bearer {}'.format(token)},
                            timeout=5)
+2
hjacobs on Mar 9, 2016
Read more comments on GitHub
← connexion: Multiple files upload (mutlipart/form-data) is ignored for Flask
connexion: `oneOf` does not work on `requestBody` when `oneOf` is nested under `#/components/schemas` →