> > > On Sat, Nov 22, 2014 at 12:50 PM, Harsha Kumara <[email protected]> wrote: > >> Hi, >> >> As Johann mentioned, if the specification defined sending token as the >> query param, we needs to support it and implement as specification >> specified. But again the user who going to use it needs to know aware of >> the security issues cause by using token as query param. Also the >> specification specified that it's discourage to use this approach. IMO If >> we support it, we shouldn't use in our products unless if there is any >> specific reason. >> > What would be the particular use case to send access token in query String. This is a bad practice according to many real world use cases [1].
[1] http://www.thread-safe.com/2013/10/latest-facebook-security-vulnerability.html -- Gayan Gunawardana Software Engineer; WSO2 Inc.; http://wso2.com/ Email: [email protected] Mobile: +94 (71) 8020933
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
