Progress on the issue :
- according to oAuth spec https://datatracker.ietf.org/doc/html/rfc6750#section-5.3 , the bearer access_token « SHOULD NOT be passed in page URLs (for example, as query string parameters). Instead, bearer tokens SHOULD be passed in HTTP message headers or message bodies for which confidentiality measures are taken. Browsers, web servers, and other software may not adequately secure URLs in the browser history, web server logs, and other data structures. If bearer tokens are passed in page URLs, attackers might be able to steal them from the history data, logs, or other unsecured locations. »

Friendica does this right. It looks like Mastodon wrongly accepts the token as en url argument. (Suprising, isnt ?)

I will propose a fix for SPIP plugin so it can pass the access_token in Authorization header, for both friendica, mastodon and hopefully other creatures of the fediverse.

#friendica #mastodon #spip #security