PT-2026-29832

Refresh Token Leaked via URL Query Parameter in OAuth Provider Callback Summary The auth service's OAuth provider callback flow places the refresh token directly into the redirect URL as a query parameter. Refresh tokens in URLs are logged in browser history, server access logs, HTTP Referer...