I'm implementing Flask REST API with Flask-Oauthlib and wondering is it ok to pass username and password in URL parameters? For example:
GET http://127.0.0.1:5000/api/token?client_id=CLIENT_ID&grant_type=password&username=myusername&password=hopeudontseemypass
In my development environment all the requests are showing in logs as plain text like this:
127.0.0.1 - "GET /api/token?client_id=CLIENT_ID&grant_type=password&username=myusername&password=hopeudontseemypass HTTP/1.1" 200 -
Is there any way to pass base64 encoded username/pass in request headers? All the password grant type examples are using username and password in URL parameters, so don't know is this a really problem if server will use SSL.
The OAuth protocol spec says that the parameters must be POST-ed to the token endpoint. By accepting them as query parameters the Authorization Server violates the spec. Better use POST to avoid the credentials ending up in log files.