Enhancement Request: Support Bearer Token in Query Parameters

[mdaneri]

Description
Currently, Pode only supports bearer authentication via the Authorization header. However, per [RFC 6750, Section 2.3](https://datatracker.ietf.org/doc/html/rfc6750#section-2.3), bearer tokens can also be transmitted as query parameters. This enhancement adds support for parsing bearer tokens from query parameters, improving compatibility with clients that may not support custom headers.

Proposed Enhancements

• Allow bearer tokens in query parameters: Pode should accept tokens passed via the access_token query parameter.
• Example Usage:

  GET /protected-resource?access_token=<jwt>
  

• Security Consideration:
  • The Authorization header remains the recommended method for sending bearer tokens.
  • Query parameters may expose tokens in logs, so their use should be limited to cases where headers are not feasible.
  • Pode should log a warning when bearer tokens are received via query parameters to remind developers of potential security risks.

Why This is Needed

• Improves compatibility with web applications that rely on query parameters for authentication.
• Aligns Pode’s bearer authentication implementation with RFC 6750.
• Allows greater flexibility for API consumers while maintaining security recommendations.

References

• [[RFC 6750: Bearer Authentication](https://datatracker.ietf.org/doc/html/rfc6750)](https://datatracker.ietf.org/doc/html/rfc6750)