I am auditing a app and i see my current user login with SSO with google but his access token is visible in Network.
As i am current user and this is my access token, but still is it OK … figuring out with Oauth client used because i dont like subh information be available to user a
It’s your own user’s access token, it’s fine for them to see it (necessary, even).
Okey, thanks but arent a red flag rise , if a bot or somethign is seeing reading my broser its will be detected .
but you are right at the end , Security come the hardware part, its user responsibility to make sure his system is not enfected.
in the end tokens sent by clients to servers are always available to the client. It is impossible to have a security system where the client doesnt know the token.
In the old days people would scan the computer ram for security credentials. If your application uses them they 100% will be available.
You can obfuscate them, but you cant make them inaccessible.
In security there is what you have and what you know. The best security systems use both.
The what you know ideally is never written down and only passes to the server for an instant. The what you have shows that you have something in your possession.
