Currently, the access_token (bearer token) is passed to the server as a URL query parameter. This isn't quite best practice as access/bearer tokens end up in the URL which intermediaries can grab.
These tokens instead should be placed in the HTTP header of each call:
Bearer tokens (access tokens) are no longer in the URL as a query parameter, instead they are passed in the HTTP header.
Headers are usable through Swagger in each service
UI does not send access token through URLs (except download in new windoew - pdfs)
inter service communication still working
do we want to retain support for using the token in the url? If not, should we consider this a major version change for every service?
OAuth supports both by default - so for now I am just leaving the two options on the table, while making OLMIS itself always use headers instead of a request param.
that sounds to me like a reasonable choice where each implementor can make their own decision.
I checked, and everything works correctly.