Isn't passing the sessionToken as a query param on OIDC authorization endpoint having some security concern?

yikshiungy · April 7, 2020, 11:03am

While exploring the custom login ui with OIDC public client auth code grant, I noticed that i must pass in sessionToken as the custom query param to the authorization endpoint so that it wont prompt me to okta login page.
It works, but i do have concern on the security risks. Isn’t it expose something similar to the implicit grant where the access-token is exposed to the redirected url ?

E.g. of authorization endpoint
https://dev-xx.okta.com/oauth2/default/v1/authorize?client_id=xx&redirect_uri=http%3A%2F%2Flocalhost%3A4200&response_type=code&scope=openid%20profile%20email&state=8d804fbfc5f94281b80bf5a0bb32d3e9&code_challenge=iiFi26b9V0OM97Jow5e42KRKAm5N2nK_kJBfMrZiYXg&code_challenge_method=S256&response_mode=query&sessionToken=${sessionToken}

phi1ipp · April 9, 2020, 12:53am

sessionToken is a one-time thing. Intercepting it won’t make any good for further re-use

yikshiungy · April 9, 2020, 1:48am

yes, has done more testing here.
“sessionToken” will result in a “sid” httpOnly cookie and “sid” will be taking over after this
“sessionToken” is not re-usable, this is unlike the access token scenario

Thanks!

system · January 23, 2024, 11:09pm

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.

Post		Replies	Views
Token and id_token not supported by the /default auth server OAuth/OIDC	4	1639	February 16, 2024
How can I exchange a session_token for an access_token in the backend OAuth/OIDC	10	9081	January 17, 2024
Browserless Session Token => Authorization Code Exchange OAuth/OIDC	2	3145	June 17, 2022
Custom session_id via OIDC Questions	6	3258	November 30, 2021
I get a different oidc token when specifying "sessionToken" OAuth/OIDC	2	3755	January 23, 2020

Isn't passing the sessionToken as a query param on OIDC authorization endpoint having some security concern?

Related topics