refresh_token post data with query params?

  • 17 July 2023
  • 1 reply
  • 36 views

Badge

Hi,

 

Awesome platform and I love the documentation & onboarding for new developers, kudos to all the hard work!

 

I am curious about the way to refresh an access_token described here:

https://developers.miro.com/reference/get-new-access-token-using-refresh-token

 

The docs suggest we should send a post request with our sensitive data as query params

https://api.miro.com/v1/oauth/token?grant_type=refresh_token&client_id=CLIENT_ID&client_secret=CLIENT_SECRET&refresh_token=REFRESH_TOKEN

 

However, adding sensitive data to query params is generally not good practice:
 

  1. Query parameters are often logged: Web servers or proxy servers may log the URLs, including the query parameters, which could expose sensitive data in logs. This poses a risk if the logs are accessible to unauthorized individuals.

  2. Query parameters may be stored in browser history: If the request is made through a web browser, the URL with the query parameters may be stored in the browser's history. If someone gains access to the browser or its history, they could retrieve the sensitive data.


Is there a way to send the data as the encrypted body method of a post request? I am trying but it does not seem possible. Is there a reason query params were chosen?

 

Hope this helps,

Thanks


1 reply

Userlevel 6
Badge +4

Hey @SeanGPT,

Thanks a lot for reaching out about this, and very glad to hear you’ve found our documentation and onboarding helpful so far!

As for your feedback regarding the usage of query params on our OAuth endpoint, it’s very fair feedback, and something I’ve raised with our team here to consider improving. 

In the meantime, I should note that you should also send these details in the request body as key, value pairs using:

Content-Type: application/x-www-form-urlencoded

 

Here’s a quick cURL example for getting an access_token (you should be able to do the same for refresh_token flow):

curl --location --request POST 'https://api.miro.com/v1/oauth/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=authorization_code' \
--data-urlencode 'client_id={{clientId}}' \
--data-urlencode 'client_secret={{clientSecret}}' \
--data-urlencode 'code={{code}}' \
--data-urlencode 'redirect_uri={{redirectUri}}'

Thanks again for the feedback, and let me know if this helps in the meantime!

Best,
Will

Reply