Spring OAuth2 安全问题

Question

I am currently implementing Authorization_Code type OAuth2 flow to have single-sign-on (SSO) on my website.

Here is my code that enables it.

  @Override
  protected void configure(final HttpSecurity http) throws Exception {
    // @formatter:off
    http.authorizeRequests()
        .antMatchers("/login", "/authorize", "/error")
        .permitAll()
        .anyRequest()
        .authenticated()
        .and().formLogin().loginPage("https://sso.mywebsite.com").loginProcessingUrl("/perform_login")
        .defaultSuccessUrl("/success",true)
        .failureUrl("/error").permitAll()
        .and()
        .csrf()
        .disable();
    // @formatter:on
  }

My concern is described below.

To make a login request (with username and password), sso.mywebsite.com should make a POST request to my oAuth service - http://oauth/perform_login?username=USERNAME&password=PASSWORD .

I tried it with Postman and it works. However, isn't this a security problem to send plain username and password like above in query param? I thought exposing user credential in uri (query param) could get captured by various network sniffing tools.

Is there a way to do this in different method?

Answer 1

1. As long as you are using HTTPS, your query parameters will be secure.
2. I am unclear, why your SSO website should make a POST to that URL (and also, why instead of having a POST body, append the parameters via the url). Shouldn't it rather "redirect" to the login page/authorization server or is the code above from your authorization server? It was a bit unclear from your description.