[SECURITY] OIDC ID token leaking in ingress controller logs

[tmsdce]

Description

When using OIDC, the ID token is sent as a query string parameter in GET requests. Many web servers / ingress controllers log the query string.

Impact

A person with simple read access on ingress controllers pods' logs could retrieve an ID token, possibly granting this person more permissions than needed not only on Nebraska but on various other apps also using OIDC.

Environment and steps to reproduce

1. Deploy nebraska and expose it through an Ingress (I tested with Nginx)
2. Watch the ingress controller logs and see the query string parameter being logged :

..."path": "/", "request_query": "id_token=eyJhbG..., "request_length": 3897, "method": "GET"...

Expected behavior

ID Tokens should not be exposed using query string

Additional information

I am not this familiar with the various OIDC authentication flows that exist, so I may be missing something here. Maybe the token cannot be used as is, but I think it's worth checking this out ^^

[acuteaura]

RFC says SHOULD NOT.

Because of the security weaknesses associated with the URI method
(see Section 5), including the high likelihood that the URL
containing the access token will be logged, it SHOULD NOT be used
unless it is impossible to transport the access token in the
"Authorization" request header field or the HTTP request entity-body.
Resource servers MAY support this method.

https://datatracker.ietf.org/doc/html/rfc6750#section-2.3