We want token of the user generated in Mobile App SignIn to be transferred to the WebUI what would be the better approach for sharing confidential data to the WebUI.
Do we follow something like https://example.com/redirect?token=12121 this?
1 Answer
You can do that, or in the body of the https request, e.g., json-formatted. But in either case, best practice is to not call the key "token". That means, instead of https://example.com/redirect?token=12121, something like https://example.com/redirect?dlqkjg12EW23=12121.
Depending on the security requirements, you could also encrypt the token value (separately, in addition to the https encryption), e.g., with a shared secret. You could also compute a cryptographic hash for integrity protection, etc.
