How Okta provides Security for Query pramerters for /authorize and /token

Gayithri · March 27, 2019, 2:12pm

How Okta provides security when we call /authorize and /token endpoint as query parameters with client_id and client_sceret and grant_type etccc…

It will be visible if we pass all there (client_id, client_secret etc) in parameters and chances of loosing security.

Can any one explain how Okta provides security for these endpoints?

dragos · March 27, 2019, 2:41pm

Hi @Gayithri

We do not recommend passing the confidential details such as client secret as query parameters, but as POST attributes, as the hostname and request path can be logged.

You can find here the current supported flows, along with examples on how to send them securely.

Gayithri · March 27, 2019, 6:58pm

Hi Drago’s,

Thanks for your explanation.

Yes I saw /authorize and /token for these end points sending as query parameters in the Authorization I code flow https://developer.okta.com/authentication-guide/implementing-authentication/auth-code/#_1-setting-up-your-application.
So I got doubt.

system · January 17, 2024, 7:55pm

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.

Post		Replies	Views
Unable to add query param client_secret in token api Questions	2	3671	March 19, 2020
We are using OKTA OpenId Connect rest API for authentication, when I call /oauth2/v1/authorize with session token, client id and other parameters I am getting html form as response with token and other response parameters as hidden fields OAuth/OIDC	4	10090	July 26, 2017
Postman API Login Questions	6	3523	June 23, 2021
Signature validation on Request JWT in OAuth2.0 /authorize operation OAuth/OIDC	2	5192	March 8, 2018
Isn't passing the sessionToken as a query param on OIDC authorization endpoint having some security concern? Questions	3	3650	April 9, 2020

How Okta provides Security for Query pramerters for /authorize and /token

Related topics