Marketo access token - GET/ POST | Community
Skip to main content
R
raochikati
Level 3
December 30, 2024
Solved

Marketo access token - GET/ POST

  • December 30, 2024
  • 1 reply
  • 1429 views

Hi,

I noticed Marketo has GET/POST endpoint to get access token, but both endpoints  accepting query parameters only, Is there any reason?

<URL>/identity/oauth/token?client_id=<Client Id>&client_secret=<Client Secret>&grant_type=client_credentials

 clientid and secret are exposed to internet when pass them as query parameters, is there any better approach to prevent from exposing clientid and secret?

 

Thanks,

Babu

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by SanfordWhiteman

It's not more secure in any way!

The path and query of an https:// URL are never passed in plain text. Ever. They are as secure as the body of a https:// request. You would need to hack the TLS connection in both cases, which is vanishingly unlikely for a server-to-server connection.

I recommend you fire up a network monitor and watch the TLS connection. You'll never see query parameters in plain text, because that's not how the protocol works. Everything is encrypted except for the hostname (and even *that* will be encrypted if the client and server support ESNI or ECH).

1 reply

SanfordWhiteman
SanfordWhiteman
Level 10
December 31, 2024

 clientid and secret are exposed to internet when pass them as query parameters

In what way are they “exposed”?

 

Anyone who can intercept the TLS connection between your back end server and Marketo (if that’s truly what your company is concerned about) can read the entire HTTP transaction. No difference whether credentials are in the URL or the body.

R
raochikatiAuthor
Level 3
December 31, 2024

Thank you, Sanford!

"exposed" I mean client id and client secret is visible in plain text in an URL.

That is true I agree with you,  but plain text in an URL is more vulnerable than hacking a network protocol. 

Could be more stringent than just having plain text in an URL.

May be something like  on the lines of not supporting access token in query parameter to call any of Web APIs from June 2025.

 

Thanks,

Babu

SanfordWhiteman
SanfordWhitemanAccepted solution
Level 10
December 31, 2024

It's not more secure in any way!

The path and query of an https:// URL are never passed in plain text. Ever. They are as secure as the body of a https:// request. You would need to hack the TLS connection in both cases, which is vanishingly unlikely for a server-to-server connection.

I recommend you fire up a network monitor and watch the TLS connection. You'll never see query parameters in plain text, because that's not how the protocol works. Everything is encrypted except for the hostname (and even *that* will be encrypted if the client and server support ESNI or ECH).

Terms & ConditionsAccessibility statement

Loading footer...