...

Additionally, we should require that a refresh token be passed in the request body and not as a request parameter. If the token is passed as a request parameter, it will be logged in the web application firewall and on the server, so it is insecure.

We should also consider enabling the device code flow (this is the “smart TV” flow: the client will request a short code from Synapse and display the code to the user. The user enters the code into Synapse on a separate device, and the authorization is approved), for cases where a user may be accessing a Synapse command line app without a browser.

Public vs. Private Clients - A Security Note

...