--- a/NEWS	Mon Mar 18 11:58:20 2024 +0100
+++ b/NEWS	Mon Mar 18 14:52:33 2024 +0100
@@ -9,7 +9,8 @@
   is no StudyInstanceUID in the query.
   This fixes forbidden access to e.g. /dicom-web/studies/../series/../instances/..
   on studies that have at least one authorized_labels.
-
+* The GET argument tokens are now also added as HTTP headers in the query to the
+  auth-service (this was already done only for Header tokens).
 
 
 2024-02-16 - v 0.7.0

--- a/Plugin/AuthorizationWebService.cpp	Mon Mar 18 11:58:20 2024 +0100
+++ b/Plugin/AuthorizationWebService.cpp	Mon Mar 18 14:52:33 2024 +0100
@@ -116,14 +116,14 @@
     authClient.AddHeader("Expect", "");
     authClient.SetTimeout(10);
 
-    if (token != NULL &&
-        token->GetType() == TokenType_HttpHeader)
+    if (token != NULL) 
     {
-      // If the token source is a HTTP header, forward it also as a
-      // HTTP header except if it is the Authorization header that might conflict with username_ and password_
+      // Also include the token in the HTTP headers of the query to the auth-service.
       std::string lowerTokenKey;
       Orthanc::Toolbox::ToLowerCase(lowerTokenKey, token->GetKey());
       
+      // However, if we have defined a username/password to access this webservice, 
+      // we should make sure that the added token does not interfere with the username_ and password_.
       if (!(lowerTokenKey == "authorization" && !username_.empty()))
       {
         authClient.AddHeader(token->GetKey(), tokenValue);