If using the clientside flow, the callback URL contains the access token. So if

Question

0

Asked: May 27, 20262026-05-27T10:05:00+00:00 2026-05-27T10:05:00+00:00

If using the clientside flow, the callback URL contains the access token. So if

0

If using the clientside flow, the callback URL contains the access token. So if the callback URL is sent over HTTP, isn’t it vulnerable to being captured and misused.

If user 2 of my app, gets the access token of user 1, he can get access to user 1’s account.

Also if the user copies the callback URL and sends it to someone, he is unknowingly sending the other person access to his account.

I can think of some ways of mitigating this – make callback url HTTPS, and on the client script remove the access token from the URL etc. Is that how you are expected to deal with this

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-27T10:05:00+00:00

Editorial Team

2026-05-27T10:05:00+00:00Added an answer on May 27, 2026 at 10:05 am

The clientside flow sends the oauth_token in the hash part of the URL (/path?#access_token=abcdef), not in a query part. It is then a good idea for the receiving client to store it in a sessionStorage (or something else) and finally use window.location.hash = ''; to remove it from the URL.

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

If using the clientside flow, the callback URL contains the access token. So if

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply